Andrew
Add users to additional default groups
transition from server 2008R2 to 2012R
Hi,
I have 230 2008R2 domain controllers it's a single domain network.Have 120 AD sites globally located.
May I know the steps for transition from 2008R2 to 2012R2 domain controller.
DFS are configured in 2008R2 servers.
repadmin /replsum
Can some one explain me the repadmin/replsum command I am unable to understand the largest delta,fails, total,errors
Bitlocker - AD Schema Extension 2012
I have attempted to apply the schema extensions referenced in (https://technet.microsoft.com/en-us/library/jj635854.aspx) to support TPM backup of 2012R2/8.1 Clients to Active Directory in our 2 domain AD Forest made up of 2008 and 2008 R2 DC's (ie domain1.domain.com and domain2.domain.com). The result is that in domain1 the changes have taken affect and TPM backups are working, but in domain2 it does not appear to be the case since the 'TPM Devices' container is not created and I'm unable to activate the TPM on clients in domain2.
I used the sample command provide (ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf-c "DC=X" "DC=domain1,dc=domain,dc=com" -k -j .) on the schema master without a problem. When I try the command (ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf-c"DC=X" "DC=domain2,dc=domain,dc=com" -k -j .) I get the error below:
Connecting to "DC1.domain1.domain.com"
Logging in as current user using SSPI
Importing directory from file "TPMSchemaExtension.ldf"
Loading entries
1: CN=ms-TPM-Srk-Pub-Thumbprint,CN=Schema,CN=Configuration,DC=domain2,dc=domain,dc=com
Add error on entry starting on line 31: Referral
The server side error is: 0x202b A referral was returned from the server.
The extended server error is:
0000202B: RefErr: DSID-031006BB, data 0, 1 access points
ref 1: 'domain2.domain.com'
0 entries modified successfully.
An error has occurred in the program.
_____________________________________
I'm running the above command on the Schema Master which is in Domain1.
Any help would be appreciated.
service accounts in windows server 2008 r2
Helo,
I have an asp.net application installed on IIS 7.5
The IIS installed on windows server 2008 R2 and the application is suppose to connect to an SQL SERVER 2008, located on another windows server 2008 R2.
I've created an application pool and now I want to give it db owner permissions in SQL server.
When I try to add a new login in SQL Server and write the Login Name in the following format: IIS APPPOOL\[new apppool], I receive the following error message:
"Create failed for login 'IIS...' error 15401".
The two servers are under the same network.
I was told I need to create a new service account in order to be able to provide the permissions.
I'm pretty new in all of this. can someone please let me know how to start?
Where do I need to add the service account? on the IIS server or the SQL Server?
Thanks
Get-ADOrganizationalUnit -Filter {distinguishedname -like "*something*"}
Hi, filtering Get-ADOrganizationalUnit by distinguishedname should be straighforward but for some reason:
Get-ADOrganizationalUnit -Filter {distinguishedname -like "*something*"}
does not work. I could use:
Get-ADOrganizationalUnit -Filter * | Where-Object -FilterScript {$PSItem.distinguishedname -like "*something*"}
but filtering should be done as soon as possible. I assume distinguishedname attribute and -like operator are supported in -Filter for Get-ADOrganizationalUnit cmdlet.
how to balance connections via LDAP / LDAPs though Domain Controllers
Hi All.
I have 03 DCs in one Site, but in this Site I have 5 applications in Linux, these applications authenticate via LDAP / LDAPs.the applicationdoes not allowto define more than oneLDAPserver.
in order tohave abalancingandfaulttolerance of theconnections forLDAPs, we will use anHLB (Hardware Load Balancing) to workwith more than oneDC.
To implement thissolution, I require to do something intheDCs?
my configurations will be:
dc1.mydomain.com --> Ip1
dc2.mydomain.com --> Ip2
dc3.mydomain.com --> Ip3
dcall.mydomain.com --> Ip4 (Virtual IP) manage by HLB to distribute the connections LDAP between the DCs.
Thks and Imwaiting foranyconsiderations.
Two hubs and spoke topology question
I have a 2008R2 domain with a hub and spoke topology. The hub has (2)DCs, and the spokes have a single DC. All DCs can communicate with each other, if needed, and we do have Bridge All Site Links enabled. The one hub(2 DCs), is in a centralized metropolitan location. We now have another site in that same centralized metropolitan city that is a D/R site with fast circuit, with 2 DCs that could also be a hub.
I was originally bringing this site into my topology as a spoke, but with a much lower cost on that site link. Now I am thinking I might want to actually make it a hub with a site link out to each spoke? So my question is, if I have (2)hub sites named A and B with site connections out to all the spoke sites named C, D, and E. Should I have a site link from A(hub1) to C(spoke1) and another site link from B(hub2) to C(spoke1) with the same cost? or should I create one site link from A(hub1) to B(hub2) to C(spoke1), another from A to B to D(spoke2), another from A to B to E, etc.
Not sure if this is confusing enough or not, or even if it really matters, but just trying to make sure I have things set up as good as I can.
Thanks,
Dave
Computers are contacting a DC in a different site for domain join operations
Hello,
Occasionally we have PCs and Servers that, while performing a domain join operation, will contact a DC in a remote site instead of the local site. We have all subnets defined properly set to the correct sites. In the example below, the 192.168.1.0/24 subnet is attached to the HQ site. However, during the domain join operation, it contact a DC in a remote site. Looking at the log, I think I know why this happened. Rather than using what we have in Sites and Services, the operation simply queries domain.com A records and picks one of those to use for this process.
This is causing a problem because it can take up to 15 minutes for replication from this remote site to happen, so if a PC is being reimaged, a user at the HQ site cannot log on to the PC for some period of time until that remote DC replicates with our HQ DCs.
How can we prevent this from happening? All workstations and servers deployed at the HQ site need to utilize DCs at the HQ site.
Edited to add: We are joining to the domain using the "To rename this computer or change its domain or workgroup, click Change." in System Properties
04/07/2016 08:45:03:072 NetpDoDomainJoin
04/07/2016 08:45:03:072 NetpDoDomainJoin: using new computer names
04/07/2016 08:45:03:072 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
04/07/2016 08:45:03:072 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
04/07/2016 08:45:03:072 NetpMachineValidToJoin: 'SERVERNAME'
04/07/2016 08:45:03:072 OS Version: 6.3
04/07/2016 08:45:03:072 Build number: 9600 (9600.winblue_ltsb.160119-0600)
04/07/2016 08:45:03:072 SKU: Windows Server 2012 R2 Standard
04/07/2016 08:45:03:072 Architecture: 64-bit (AMD64)
04/07/2016 08:45:03:072 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
04/07/2016 08:45:03:072 NetpGetLsaPrimaryDomain: status: 0x0
04/07/2016 08:45:03:072 NetpMachineValidToJoin: status: 0x0
04/07/2016 08:45:03:072 NetpJoinDomain
04/07/2016 08:45:03:072 HostName: SERVERNAME
04/07/2016 08:45:03:072 NetbiosName: SERVERNAME
04/07/2016 08:45:03:072 Domain: domain.com
04/07/2016 08:45:03:072 MachineAccountOU: (NULL)
04/07/2016 08:45:03:072 Account: domain.com\xxxxxx
04/07/2016 08:45:03:072 Options: 0x425
04/07/2016 08:45:03:072 NetpLoadParameters: loading registry parameters...
04/07/2016 08:45:03:072 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
04/07/2016 08:45:03:072 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
04/07/2016 08:45:03:072 NetpLoadParameters: status: 0x2
04/07/2016 08:45:03:072 NetpValidateName: checking to see if 'domain.com' is valid as type 3 name
04/07/2016 08:45:05:244 NetpCheckDomainNameIsValid [ Exists ] for 'domain.com' returned 0x0
04/07/2016 08:45:05:244 NetpValidateName: name 'onbase.net' is valid for type 3
04/07/2016 08:45:05:244 NetpDsGetDcName: trying to find DC in domain 'domain.com', flags: 0x40001010
04/07/2016 08:45:20:244 NetpDsGetDcName: failed to find a DC having account 'SERVERNAME$': 0x525, last error is 0x0
04/07/2016 08:45:22:400 NetpLoadParameters: loading registry parameters...
04/07/2016 08:45:22:400 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
04/07/2016 08:45:22:400 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
04/07/2016 08:45:22:400 NetpLoadParameters: status: 0x2
04/07/2016 08:45:22:400 NetpDsGetDcName: status of verifying DNS A record name resolution for 'REMOTEDC.domain.com': 0x0
04/07/2016 08:45:22:400 NetpDsGetDcName: found DC '\\REMOTEDC.domain.com' in the specified domain
04/07/2016 08:45:22:400 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
04/07/2016 08:45:22:400 NetpDisableIDNEncoding: using FQDN domain.com from dcinfo
04/07/2016 08:45:22:400 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'domain.com' succeeded
04/07/2016 08:45:22:400 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
04/07/2016 08:45:25:884 NetpJoinDomainOnDs: status of connecting to dc '\\REMOTEDC.domain.com': 0x0
04/07/2016 08:45:25:884 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: domain.com
04/07/2016 08:45:25:900 NetpProvisionComputerAccount:
04/07/2016 08:45:25:900 lpDomain: onbase.net
04/07/2016 08:45:25:900 lpHostName: SERVERNAME
04/07/2016 08:45:25:900 lpMachineAccountOU: (NULL)
04/07/2016 08:45:25:900 lpDcName: REMOTEDC.domain.com
04/07/2016 08:45:25:900 lpMachinePassword: (null)
04/07/2016 08:45:25:900 lpAccount: domain.com\xxxxxxx
04/07/2016 08:45:25:900 lpPassword: (non-null)
04/07/2016 08:45:25:900 dwJoinOptions: 0x425
04/07/2016 08:45:25:900 dwOptions: 0x40000003
Powershell Script for AD count
Hi
could you please someone tell me how do i get enabled an ad users count only for particular OU.
Thanks
Surendhar.J
2008 Domain controller decom failed - Catastrophic failure
Hello,
When trying to run dcpromo on a 2008 RODC (first step of decommissioning) I receive the following error:
Failed to detect if Active Directory Domain Services binaries were installed. The error was: Catastrophic failure
As a first step towards troubleshooting I have done the following:
Run chkdsk /r /f (Successful)
Run sfc /scannow (from command line as administrator) Failed with error:
Windows Resource Protection could not perform the requested operation.
I powered off the domain controller and attached the disk to another Windows 2008 server (as an e: drive) and ran the following command:
sfc /scannow /offbootdir=e:\ /offwindir=e:\windows (Success!) ..Found corrupt files and successfully repaired them...)
Unfortunately it looks like now the server is really poached. Upon booting the server I am getting the error:
Windows failed to start. A recent hardware or software change might be cause...
File: \Windows\system32\winload.exe
Status: 0xc000000e
Info: The selected entry could not be loaded because the application is missing or corrupt.
Fixed this by inserting the installation disc, running a repair, from the command prompt I typed:
bootrec /rebuildbcd
Booted into the OS Successfully. Ran DCPROMO. Same error:
Failed to detect if Active Directory Domain Services binaries were installed. The error was: Catastrophic failure
At this point I'm out of ideas. Any suggestions??
LDAP SEARCH leading space problem
I have the following problem :
I'm moving from a LDAP Novell Directory to ADLDS (w2012R2)
I have a lot of client application which potentially do a LDAP search like this :
uuid= 123455 (please notice there is a BLANK caracter After the "=" equals sign
In novell this search request returns a result assuming novell is removing leading space as it is describe in RFC :
tools.ietf.org/html/rfc4518
Appendix B. Substrings Matching
This appendix is non-normative.
In the absence of substrings matching, the insignificant space
handling for case ignore/exact matching could be simplified.
Specifically, the handling could be to require that all sequences of
one or more spaces be replaced with one space and, if the string
contains non-space characters, removal of all leading spaces and
trailing spaces.
In the presence of substrings matching, this simplified space
handling would lead to unexpected and undesirable matching behavior.
For instance:
1) (CN=foo\20*\20bar) would match the CN value "foobar";
uuid is define like this in my ADLDS schema :
dn: CN=uuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
cn: uuid
adminDisplayName: uuid
adminDescription: uuid
instanceType: 4
lDAPDisplayName: uuid
attributeID: 1.3.6.1.4.1.4073.2.1.2.1
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
oMSyntax: 64
searchFlags: 0
systemOnly: FALSE
Is it possible to have the same behaviour in ADLDS ?
Thanks in advance for your replys
best regards
Marc
How to enable AD domain join over VPN network that has its own internet connection?
Hello,
I'm hoping you could help me out with something,
As I read in some articles, the preferred DNS HAS to be the one on the domain controller to be able to join the computers.
However in our case, the computers are distributed over small VPN networks, all connecting to the central firewall behind which the AD resides.
these computers have their own internet connection, but are joined to the central domain controller.
We want to be able to permit the domain join as well as leaving them the freedom of requesting whatever name resolution via say the google DNS.
however, if we set the primary DNS as google's, and the second as the DC's (config in the firewall), the domain join doesn't happen. also we cannot set a conditional forwarder on the firewall...
SO i'm hoping there's a workaround to this? help?
Thanks many
Hide a DFS Share?
Hi!
An organization here at my company are changing their name so they want me to rename their folder on the company network drive, it's a DFS-share. Of course I see a lot of support cases in front of me where Office-links and other references to the old name does not work any more.
My thought were to create a hidden DFS-share:
Hidden: \\Domain\NameSpace\OldName --> \\FileServer\MyShare
Visible: \\Domain\NameSpace\NewName --> \\FileServer\MyShare
This way old links would still work but the employees are creating new files in the NewName folder.
It does not seem that it is possible though, to create a hidden DFS-share. Is it?
If not, does anyone have any other good solution to my problem?
Thanks!
forest and domain functional level raise (2003 to 2008 R2)
I have done research and read the links below and the process seems straight forward. My questions are:
Do you raise the domain level first then raise the forest levels?
Can you raise one level and hold off to raise the other?
Is there a step-by-step guide that will walk a domain admin through this entire process?
**NOTE** The Domain controllers will be 2012 R2 and the member servers will be between 2003 to 2012 OS platform, the plan is to raise the levels to 2008 R2.
Raise the Forest Functional Level
https://technet.microsoft.com/en-us/library/cc730985.aspx?f=255&MSPPError=-2147217396
Raise the Domain Functional Level
https://technet.microsoft.com/en-us/library/cc753104.aspx?f=255&MSPPError=-2147217396
How to raise Active Directory domain and forest functional levels in Win2003
http://support.microsoft.com/kb/322692
How Active Directory Functional Levels Work
http://technet.microsoft.com/en-us/library/cc739548(v=ws.10).aspx
Understanding Active Directory Domain Services (AD DS) Functional Levels
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
What is a Child Domain?
My domain name is domain.domain000.com but it is only a single domain. All devices\users login or join domain.domain000.com. The netbios name is domain. There is a group policy applying "append these DNS suffixes (in order): domain.domain000.com. I am seeing lots of NETLOGON errors saying cannot find "domain".
1. Is "domain" a subordinate domain of domain000.com?
2. If so, then having a search suffix of domain.domain000.com will exclude domain resulting in my NETLOGON errors I am seeing
Is this correct?
Jason
DNS Records for Active Directory
I am just trying to understand the DNS Records associated with the Domain Controllers. Why does Active Directory have two "A Host" Records for each domain Controller.
As you can see in the picture, DC1 has an IP Address of 192.168.0.3, same IP Address is assigned to another DNS Record with the name of "(Same as parent Folder)", which i assume is also for DC1... Why have two same DNS Records for one host-name. This is very strange or am i missing something.
AD Computer permission inheritance
Hi there,
In Active Directory, I've set a 'SELF' permissions entry on our workstations OU so that all workstations have permissions to write to:
msTPM-OwnerInformation
msTPM-TpmInformationForComputer
ms-Mcs-AdmPwd
ms-Mcs-AdmPwdExpirationTime
This applies to: Descendant Computer objects
The issue is however that computers do not inherit this permission and thus the required applications (LAPS and AD Bitlocker Recovery) don't function. How can I enable all computers to inherit permissions from their parent OU's?
How to find Computers with Trust relationship
Hi,
I work in an Organization where there are over 10000 PCs in the domain. These PCs are spread over a 1000 different locations.
The problem I am facing is that many of these PC's are having Trust relationship issues but I dont have a list of PC's which are having this issue. The users are able to login to the domain account in these PC's and Group policies also seem to work in many of these PC's .
We have a Technical Support team. If I were to give them the list of machines having Trust Relationship then they could go and remove the machines from Domain and rejoin the machine to Domain. But the problem is I don't have such a list. Is there any way to get a list (maybe a script) of all the machines in the domain that are having trust relationship issues. Since the number of machines in the organization is very large so trying to find out manually is out of the question.
I think 5% to 10 % of PC's are having this issue. Also is there a way to repair trust relationship in PC centrally instead of sending Technical Support to each office to repair individual PC's.
Use schema extensions of Exchange 2013 to get more attributes for users
Hi Everyone,
First Sorry for my bad English (i am French)
I need to had adittionnal attributes for the user class in my Windows 2012 r2 Forest
I think one of the most easy (and secure) way to do this is ... to use the schema extensions of Exchange 2013
I mean the "extensionAttribute" and "msExchExtensionCustomAttribute" that the schema extensions of Exchange 2013 provide
I can achieve this with the commande "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms"
But ... I don't want to add ... ALL ... the new attributes of Exchange in my forest cause ... i will not use Exchange
So ... i see that there is a lot of ".ldf" files in the sources of Echange 2013 so :
- Which one did i use to add only the "extensionAttribute" and "msExchExtensionCustomAttribute" ?
- And which command please ?
Thanks !!