Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Adprep encountered a Win32 error. Error code: 0x6ba Error message: The RPC server is unavailable on Promoting 2012 R2

January 14, 2016, 12:37 am
$
0
0

I have customer environment where DFL & FFL is set to 2003 and Primary site has Windows 2003 DC. Customer has introduce new site called XYZ and it is has VPN connection with Primary site. This new site they want to build 2012 R2 Additional domain controller. When I am try to promote server as DC. It failed with error

Adprep failed while performing Exchange schema check.

[Status/Consequence]

The Active Directory Domain Services schema is not upgraded.

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20160112082324-test directory for possible cause of failure.
Adprep encountered a Win32 error. Error code: 0x6ba Error message: The RPC server is unavailable.


I have already checked the :http://support.microsoft.com/kb/2737560
Search

We are deploying Windows 8 ( Professional ) or server 2008 Clients in Windows 2008r2 Domain but the NetBios name will not accept more than 15 Charaters as we aware.Is there any way or clue or TIP to let accept more than 15 Charaters ( till 20 or 22 Charac

January 14, 2016, 9:14 am
$
0
0

We are deploying Windows 8 ( Professional ) or server 2008 Clients in Windows 2008r2 Domain but the NetBios name will not accept more than 15 Charaters as we aware.Is there any way or clue or TIP to let accept more than 15 Charaters ( till 20 or 22 Characters ). Waiting for reply.

Cannot download ADMT v.3.2

January 5, 2015, 6:01 am
$
0
0

I try to download ADMT v.3.2 from:

https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53422

I joined the group, but get the same error for all download links:

Page Not Found 

The content that you requested cannot be found or you do not have permission to view it. 

If you believe you have reached this page in error, click the Help link at the top of the page to report the issue and include this ID in your e-mail: 17c3a981-38d4-458d-98ba-46e2d3e6b3c6 

Any ideas?

DC time not in sync

January 11, 2016, 9:47 pm
$
0
0

Windows Server 2008 R2 sp1

I followed the steps in this link to have my PDC sync with a time server referring to question number 6

http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

when I do a query, it tells me i'm using one of the asia.pool.ntp.org as my time source. the corresponding registry key also reflects the changes or time sources.

but my PDC or domain time is still two minutes ahead. I have rebooted the PDC, restarted the time service, waited overnight to sync yet it's two minutes ahead.

the PDC is a hyper-v VM.

Weird behaviour change ever since removing last W2K3 DC

December 31, 2015, 5:19 am
$
0
0

Ever since removing our last W2K3 DC's from AD we've noticed a clear change in password expiration behaviour for our AD users. Removing W2K3 went without a hitch, no hiccups at all. I can't find any information on this unexpected behaviour change and am hoping there's an explanation and maybe even a solution somewhere out there.

Before removing W2K3 DC's: AD would force users to change their password at logonif the password was due to expire that same day.

After removing W2K3 DC's: AD no longer forces users to change their password if it's due to expire that same day, meaning that users just ignore the option to change their password and then logon using their soon-to-expire password which then expires after they've logged on - causing (amongst other things) Outlook 2010 to prompt for credentials and go into offline mode.

Windows 7 does briefly display a taskbar notification allowing the user to change their password without logging off - but users don't ever notice the notification so it's of no use.

What we now miss is AD forcing the user to change their password IF it's due to expire that same day.

Appreciate this is only a minor change but it's enough for users to get themselves confused, and Outlook running in offline mode then obviously delays email delivery which creates more problems.

All client machines are Windows 7 SP1. Our AD is now a mix of 2008 R2 and 2012 R2 DC's. All FSMO Roles reside on a 2008 R2 DC. We run Exchange 2010 SP3 r10 and Outlook 2010 SP2. We've raised both the DFL and FFL from 2003 to 2008 and then also to 2008 R2 but this has made no difference at all.

Can anyone clarify the definite change in behaviour that we've seen? thanks

get value of 'msExchHideFromAddressLists'

January 14, 2016, 11:13 am
$
0
0
Hi`

What I'm looking to do is get the value of 'msExchHideFromAddressLists' after I set it.  I have many contacts in AD that I can use 'set-adobject' to set this value to TRUE so that they wont display in the GAL in Outlook 365.  However getting the values of these 'msExch' attributes in my on-premise AD has been a challenge.  Looking for ideas please....

~Chad Buser

User cannot logon with "Must change password at next logon" checked in AD Account screen

January 14, 2016, 7:38 am
$
0
0

Hi Folks,

I'm a newbie to AD, having to figure out how it works and need some help. We have a domain controller setup on a Windows 2012 server for our Project Server 2013 environment. This was setup previous and I now need to support it, but don't know much about AD. I added a new user in Active Directory Users and Groups and set all basic information needed, and checked "Must change password at next logon" on the "Account" tab, apply, and hit ok.

When the new user tries to logon, the Windows Security dialog appears, domain\username is entered, and password is entered. When the user hits enter, the security box just keeps coming back, no logon occurs. I triple checked and the user is entering the correct domain\username and password.

Going back to AD, I uncheck "Must change password at next logon," apply, and the user can logon no problem with the password provided. I went back and checked it again and the user cannot log on.

I would like to use this must change password feature as otherwise I'm going to have to assign and maintain passwords for everyone (time consuming and not very secure). I'm thinking some setting is not correct, but have no idea where to look. Is there some setting or property somewhere that needs to be set to make the change password at next logon functionality work? If so, can someone be kind enough to point me to where I make the setting?

Any help would be much appreciated as this is a totally new world for me.

Thanks,

Rick Frisby

Active Directory Domain Naming, It's Own Public Domain vs Subdomain...

January 14, 2016, 8:58 am
$
0
0

We are getting ready to rename our domain from a single label "ourcompany" (ourcompany is a stand in for our domain name in this post) and we've been debating on what to name the new domain.  We know that "ourcompany.local" isn't recommended, but our debate is between "corp.ourcompany.com" and "our-company.com", neither of which would contain public DNS entries.  Although "ourcompany.com" does host our public website along with other web subdomains.

Our domain consists of 3 domain controllers (2x 2003 R2 & 1x 2012) having a trust relationship to a second domain "ourcompany.net" (which has public web subdomains).  The clients are all Windows 7/8/10, with Windows 2003/2008/2012 servers and a few non-domain linux servers (which do access some local resources via FQDNs) and there are a few Macs that visit from time to time.  We also have a VPN applicance that allows employees to access the network remotely from various operating systems (mainly Windows, but a few Macs).

What are the Pros and Cons of "corp.ourcompany.com" vs "our-company.com" and are there any issues that could crop up now or in the future?

I should probably also mention that dns for ourcompany.net and ourcompany.com are hosted on Amazon Route 53
Search

Setup Roles for IT Staff in Active Directory

January 14, 2016, 4:20 pm
$
0
0

Hello all,

     We have an IT Department that has been growing over that last year.  Now that we are adding more people I'd like to learn how to setup each admin with different rights in Active Directory.  That way some users can maybe reset passwords but not create users or OU's.  Is there any good tutorial on the different AD roles or how to set up various roles for IT users in AD.  Just trying to make sure an intern would be able to accidentally delete a user or other object as standard domain admins.  Thanks for the help. 

Force password change on all non administrators

January 14, 2016, 6:17 am
$
0
0

I am an administrator on the Domain.  I need to issue a force password change on all non administrators (we changed our passwords already).  I know with Group Policy I and force change on passwords by adding the policy at the Domain level, but I do not want to do that.  

Question: Is it better to issue the force password change per user in Active Directory or is there  a better way?  

Van R. Johnson

DNS Timestamp

January 14, 2016, 2:34 pm
$
0
0
DNSconsultmy case withtimestamp.I havesetinmyzonethefollowingNo-refresh intervalRefreshinterval3 days and3 days,but myRegistronare being deletedevery month.
There aresomesettingsthat need to check?

Thank you for your help

policy not let set password to user remotely dsadd

January 14, 2016, 4:35 pm
$
0
0

Hi!

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="3864978e-977d-4466-9360-88fae9b319d6" id="72956fb2-92f0-4db0-a3e5-cd9a5976f7d4">i</gs> have a <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="3864978e-977d-4466-9360-88fae9b319d6" id="5953fafe-e90d-4c54-907a-7f888f995ec6">dc</gs> in a <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="3864978e-977d-4466-9360-88fae9b319d6" id="a40c5396-c98f-4de0-9d5d-4ecf100e7072">dmz</gs>.

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="b6fb43b2-8297-48eb-b1bf-3dbc357e452b" id="a2277c0f-af0d-4f7f-a32e-afa782d205f0">in</gs> the past someone  harden the <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="b6fb43b2-8297-48eb-b1bf-3dbc357e452b" id="09b71fbd-96cb-4503-992c-cbc19e6c661d">dc</gs>.

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="4a25503f-adb0-4dc2-a162-f44e333fda40" id="2d26ebce-1360-4a0f-b4cb-f1af5f834644">i</gs>'m trying to create a user from my computer that is not joined to this <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="4a25503f-adb0-4dc2-a162-f44e333fda40" id="a17a75d8-8aef-430d-b4b8-3c94af3e2b6c">dc</gs> domain with this command

dsadd user CN=john,OU=test,,DC=testdom,DC=com-samid john -pwd Dk!12%45*6 -fn john -s dc.testdom.com -u testdom\admin -p Password!

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="cff1e4e1-3e23-4810-be3d-fa68d84cf7b7" id="9d1a1e3e-4daa-40a9-a306-e32314850930">and</gs> <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="cff1e4e1-3e23-4810-be3d-fa68d84cf7b7" id="90679f26-39bb-41d9-bdc3-c1c31dd2a7ff">i</gs> get:

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="fe39beae-323f-4153-9ef8-355594d83c82">dsadd</gs> failed<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="8fddb9c1-5cb5-47d6-8fde-d49142d6fc44">:</gs>CN= <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="ffdb526a-a6a5-4f04-8732-6ea55402d709">john</gs><gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="6fbaca98-7c12-458b-aaba-4e4b213d6a99">,</gs>OU=test<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="92b3a1dc-f298-4f46-a76d-de3f6140922c">,,</gs>DC=testdom<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="b76a790c-aa57-42c4-8b0e-ef098be26acc">,</gs>DC=com<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="8e3c7cf3-aa78-43b6-82f7-6b9df76ec283">:</gs>The RPC server is unavailable.<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="64c132b3-772e-4ec9-b34f-731f07d312cf" id="5a1da5b1-10af-417f-a053-52c468ebf2a5">:</gs>Set password failed

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="2dcd399d-3479-4aa2-9ef1-392f8edddb62" id="3577dbab-92c9-411c-88b9-778539ee8689">but</gs> the user is created in the ad.

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="1ab1b35d-a1f2-4c3c-8a4c-9e6976f1b01c" id="15502781-231a-440a-9eda-8a7a45554fd3">no</gs> drops in firewall.

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="ed1c8e1e-93bc-4264-afae-2c9e25015cb0" id="b89289f2-6e39-41de-83a5-26e765c7964c">if</gs> <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="ed1c8e1e-93bc-4264-afae-2c9e25015cb0" id="c2b55f7b-17e6-46ae-8e63-e3d5998001ad">i</gs> try this command against <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="ed1c8e1e-93bc-4264-afae-2c9e25015cb0" id="4fe55397-1ad6-4219-b67f-b38ce6e18792">DC</gs> that was not <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="ed1c8e1e-93bc-4264-afae-2c9e25015cb0" id="e63c774c-887d-40ca-ac9c-871008b9253b">harden</gs> in <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="ed1c8e1e-93bc-4264-afae-2c9e25015cb0" id="5c9e7412-8dd2-479b-8dce-0d598ae30c5e">other</gs> domain <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="ed1c8e1e-93bc-4264-afae-2c9e25015cb0" id="878e5e70-0a5c-4c4d-a9ea-14c6ddb14417">it</gs> success.

<gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="76702b6b-28ba-46e7-9fde-9604d033c55c" id="0c705e75-5a96-4fcb-866c-c00ed09cbe5d">do</gs> you know what <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="76702b6b-28ba-46e7-9fde-9604d033c55c" id="1b12c5c6-96ab-490d-8587-ef99a5938d8d">parmeter</gs> to change in the <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="76702b6b-28ba-46e7-9fde-9604d033c55c" id="fcc5d1ee-f488-488c-a98e-1aa4386cf975">gpo</gs> that will let me set password remotely with <gs class="GINGER_SOFTWARE_mark" ginger_software_uiphraseguid="76702b6b-28ba-46e7-9fde-9604d033c55c" id="222417eb-79ea-4646-b24e-7db1786b73e7">dsadd</gs> command?

Thanks,

Aviv Hassidim


NetBois name Change

January 14, 2016, 12:22 am
$
0
0

need to change netbios name of Active Directory 2012. Environment is two active directory, one KMS server and File server.

can anyone please share step by step document of change NetBios Name.

Best Microsoft practice NTDS Settings replication among domain controllers

January 14, 2016, 1:23 pm
$
0
0

We currently have a Windows 2008 R2 domain with two sites: Default-First-Site-Name and the Willow-Hill.

We have four domain controllers at the Default-First-Site-Name: Filesrvr05 (Windows 2008 R2); DM-HQ01 (Windows 2008 R2), W3DV-DC01 (Windows 2012 R2); W3DV-DC02 (Windows 2012 R2). Willow-Hills: WHSP-DC01 (Windows 2008 R2).

We would like to get rid of and demote the DM-HQ01, how does it affects the NTDS setting with the replication among the remaining domain controllers?

Will all the replication connectin be adjusted automatically?

The current NTDS setting connections for a given domain controller are shown as automatically generated.

Here are the current replication settings:

DM-HQ01: Replicate From: Filesrvr05; W3DV-DC02, Replicate From: Filesrvr05; W3DV-DC02; WHSP-DC01

Filesrvr05: Replicate From: DM-HQ01; W3DV-DC01, Replicate From: DM-HQ01; W3DV-DC01

W3DV-DC01: Replicate From: Filesrvr05; W3DV-DC02, Replicate From: Filesrvr05, W3DV-DC02

W3DV-DC02: Replicate From: DM-HQ01; W3DV-DC01; WHSP-DC01, Replicate From: DM-HQ01; W3DV-DC01

WHSP-DC01: Replicate DM-HQ01; Replicate from: W3DV-DC02

Thanks for your help!

Ray Choy

Group Policy Infrastructure failed due to the error listed below. Logon Failure: The target account name is incorrect.

January 5, 2016, 12:10 pm
$
0
0

Anytime I run gpupdate /force I get the following message

C:\Users\mpaxton>gpupdate /force Updating Policy...  User policy could not be updated successfully. The following errors were encountered:  The processing of Group Policy failed. Windows attempted to read the file \\mydomain.coml\SysVol\mydomain.com\Policies\{26836E1A-B288-4C5D-917F-784B632028A8}\gpt.i ni from a domain controller and was not successful. Group Policy settings may no t be applied until this event is resolved. This issue may be transient and could  be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller  has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. Computer policy could not be updated successfully. The following errors were encountered:

DNS resolution is working as it should.

I read in another article on here that what resolved the issue was removing the links and then recreating them. What links would need to be removed and replaced? 

Search

Windows Store - Allow Some Apps Block Rest

January 14, 2016, 5:46 am
$
0
0

Hi,

I would like to control what our users access on the Windows Store.

1. We do NOT want to block Windows Store

2. Allow some Apps to be downloaded and used BUT block the rest. (WhiteList)

How can this be achieved? GPO?

Any help and I am grateful.

Thx

Hifz Shaikh

Apps not start for normal users

January 13, 2016, 11:34 pm
$
0
0

Need your help, I have exe shortcut application on domain computers, this exe is placed on shared samba folder, now I can't run this application for domain users, it only runs when I rught click and choose run as administrator.

My client PC ale Windows 7, and DC is runnind Windows 2012 R2.

AD Migration from SBS2003 to 2012R2

January 15, 2016, 1:15 am
$
0
0

Hi

I successfully migrated from a SBS2003 to Server 2012 R2. Everything seems to come to work.
I now found that I still have the AD structure that has been set up by the SBS2003 in MyBusiness OU. New computers (like the new Exchnage server have been added in - Computers while all the old is all below the OU MyBusiness. User accounts are spread all over as well.

- Computers
- ...
- MyBusiness
-- Computers
--- SBSComputers
--- SBSMobiles
--- SBSServers
--- ...
-- ...
-- Users
---SBSUsers
- Users

What is best practice here? Do I eliminate the MyBusiness? Do I create a new OU? Where? Can I simply move Computer around?

The same question applies to the GPO's. There are a lot of "SBS" GPO's. Can I simply delete these?

Thanks a lot for some guidance.
Franz

Group Policy security filtering rights

January 14, 2016, 11:33 pm
$
0
0

Hi all,

I would like to change the security filtering for a group policy object.

In this way I limit the GPO to a specific user/computer instead of 'authenticated users'.

Enterprise admins and domain admins van change this value.

I would like to know which rights I have to give a specific group of admins to do this.

There are more than 50 to choose from and none of them ring a bell.

thanks in advance!

kind greetings,

Kris

_msdcs delegation name servers list is limited.

January 5, 2016, 4:18 am
$
0
0

Hi,

In the _msdcs  delegated zone, I can see that only 3 of 10 DC's  are listed as NS servers for the delegation.

Is it something I should worry about? Or the zone will be served by all the Domain Controllers / DNS servers even if they are not listed as delegated?

The zone is AD Integrated, so it should be replicated everywhere.

Thanks!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>