Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Add users to additional default groups

$
0
0
All staff are automatically assigned to domain users (standard..) but I would like to add all users to other created default groups that give automatic access to additional services. How can I achieve this?

Andrew


transition from server 2008R2 to 2012R

$
0
0

Hi,

I have 230  2008R2 domain controllers it's  a single domain network.Have 120 AD sites globally located.

May I know the steps for transition from 2008R2 to 2012R2 domain controller.

DFS are configured in 2008R2 servers. 


repadmin /replsum

$
0
0
Hi,

Can some one explain me the repadmin/replsum command I am unable to understand the largest delta,fails, total,errors

Bitlocker - AD Schema Extension 2012

$
0
0

I have attempted to apply the schema extensions referenced in (https://technet.microsoft.com/en-us/library/jj635854.aspx) to support TPM backup of 2012R2/8.1 Clients to Active Directory in our 2 domain AD Forest made up of 2008 and 2008 R2 DC's (ie domain1.domain.com and domain2.domain.com).  The result is that in domain1 the changes have taken affect and TPM backups are working, but in domain2 it does not appear to be the case since the 'TPM Devices' container is not created and I'm unable to activate the TPM on clients in domain2.

I used the sample command provide (ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf-c "DC=X" "DC=domain1,dc=domain,dc=com" -k -j .) on the schema master without a problem.  When I try the command (ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf-c"DC=X" "DC=domain2,dc=domain,dc=com" -k -j .) I get the error below:

Connecting to "DC1.domain1.domain.com"
Logging in as current user using SSPI
Importing directory from file "TPMSchemaExtension.ldf"
Loading entries
1: CN=ms-TPM-Srk-Pub-Thumbprint,CN=Schema,CN=Configuration,DC=domain2,dc=domain,dc=com

Add error on entry starting on line 31: Referral
The server side error is: 0x202b A referral was returned from the server.
The extended server error is:
0000202B: RefErr: DSID-031006BB, data 0, 1 access points
        ref 1: 'domain2.domain.com'

0 entries modified successfully.
An error has occurred in the program.

_____________________________________

I'm running the above command on the Schema Master which is in Domain1.

Any help would be appreciated.

   

service accounts in windows server 2008 r2

$
0
0

Helo,

I have an asp.net application installed on IIS 7.5

The IIS installed on windows server 2008 R2 and the application is suppose to connect to an SQL SERVER 2008, located on another windows server 2008 R2.

I've created an application pool and now I want to give it db owner permissions in SQL server.

When I try to add a new login in SQL Server and write the Login Name in the following format: IIS APPPOOL\[new apppool], I receive the following error message:

"Create failed for login 'IIS...' error 15401".

The two servers are under the same network.

I was told I need to create a new service account in order to be able to provide the permissions.

I'm pretty new in all of this. can someone please let me know how to start?

Where do I need to add the service account? on the IIS server or the SQL Server?

Thanks

Get-ADOrganizationalUnit -Filter {distinguishedname -like "*something*"}

$
0
0

Hi, filtering Get-ADOrganizationalUnit by distinguishedname should be straighforward but for some reason: 

Get-ADOrganizationalUnit -Filter {distinguishedname -like "*something*"}

does not work. I could use:

Get-ADOrganizationalUnit -Filter * | Where-Object -FilterScript {$PSItem.distinguishedname -like "*something*"}

but filtering should be done as soon as possible. I assume distinguishedname attribute and -like operator are supported in -Filter for Get-ADOrganizationalUnit cmdlet.



how to balance connections via LDAP / LDAPs though Domain Controllers

$
0
0

Hi All.

I have 03 DCs in one Site, but in this Site I have 5 applications in Linux, these applications authenticate via LDAP / LDAPs.the applicationdoes not allowto define more than oneLDAPserver.

in order tohave abalancingandfaulttolerance of theconnections forLDAPs, we will use anHLB (Hardware Load Balancing) to workwith more than oneDC.

To implement thissolution, I require to do something intheDCs?

my configurations will be:

dc1.mydomain.com --> Ip1

dc2.mydomain.com --> Ip2

dc3.mydomain.com --> Ip3

dcall.mydomain.com --> Ip4 (Virtual IP) manage by HLB to distribute the connections LDAP between the DCs.

Thks and Imwaiting foranyconsiderations.

Two hubs and spoke topology question

$
0
0

I have a 2008R2 domain with a hub and spoke topology. The hub has (2)DCs, and the spokes have a single DC.  All DCs can communicate with each other, if needed, and we do have Bridge All Site Links enabled.  The one hub(2 DCs), is in a centralized metropolitan location.  We now have another site in that same centralized metropolitan city that is a D/R site with fast circuit, with 2 DCs that could also be a hub. 

I was originally bringing this site into my topology as a spoke, but with a much lower cost on that site link.  Now I am thinking I might want to actually make it a  hub with a site link out to each spoke?  So my question is, if I have (2)hub sites named A and B with site connections out to all the spoke sites named C, D, and E.  Should I have a site link from A(hub1) to C(spoke1) and another site link from B(hub2) to C(spoke1) with the same cost? or should I create one site link from A(hub1) to B(hub2) to C(spoke1), another from A to B to D(spoke2), another from A to B to E, etc. 

Not sure if this is confusing enough or not, or even if it really matters, but just trying to make sure I have things set up as good as I can.

Thanks,

Dave




Computers are contacting a DC in a different site for domain join operations

$
0
0

Hello,

Occasionally we have PCs and Servers that, while performing a domain join operation, will contact a DC in a remote site instead of the local site.  We have all subnets defined properly set to the correct sites.  In the example below, the 192.168.1.0/24 subnet is attached to the HQ site.  However, during the domain join operation, it contact a DC in a remote site.   Looking at the log, I think I know why this happened.  Rather than using what we have in Sites and Services, the operation simply queries domain.com A records and picks one of those to use for this process.

This is causing a problem because it can take up to 15 minutes for replication from this remote site to happen, so if a PC is being reimaged, a user at the HQ site cannot log on to the PC for some period of time until that remote DC replicates with our HQ DCs.

How can we prevent this from happening?  All workstations and servers deployed at the HQ site need to utilize DCs at the HQ site.

Edited to add:  We are joining to the domain using the "To rename this computer or change its domain or workgroup, click Change." in System Properties

04/07/2016 08:45:03:072 NetpDoDomainJoin
04/07/2016 08:45:03:072 NetpDoDomainJoin: using new computer names
04/07/2016 08:45:03:072 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
04/07/2016 08:45:03:072 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
04/07/2016 08:45:03:072 NetpMachineValidToJoin: 'SERVERNAME'
04/07/2016 08:45:03:072     OS Version: 6.3
04/07/2016 08:45:03:072     Build number: 9600 (9600.winblue_ltsb.160119-0600)
04/07/2016 08:45:03:072     SKU: Windows Server 2012 R2 Standard
04/07/2016 08:45:03:072     Architecture: 64-bit (AMD64)
04/07/2016 08:45:03:072 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
04/07/2016 08:45:03:072 NetpGetLsaPrimaryDomain: status: 0x0
04/07/2016 08:45:03:072 NetpMachineValidToJoin: status: 0x0
04/07/2016 08:45:03:072 NetpJoinDomain
04/07/2016 08:45:03:072     HostName: SERVERNAME
04/07/2016 08:45:03:072     NetbiosName: SERVERNAME
04/07/2016 08:45:03:072     Domain: domain.com
04/07/2016 08:45:03:072     MachineAccountOU: (NULL)
04/07/2016 08:45:03:072     Account: domain.com\xxxxxx
04/07/2016 08:45:03:072     Options: 0x425
04/07/2016 08:45:03:072 NetpLoadParameters: loading registry parameters...
04/07/2016 08:45:03:072 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
04/07/2016 08:45:03:072 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
04/07/2016 08:45:03:072 NetpLoadParameters: status: 0x2
04/07/2016 08:45:03:072 NetpValidateName: checking to see if 'domain.com' is valid as type 3 name
04/07/2016 08:45:05:244 NetpCheckDomainNameIsValid [ Exists ] for 'domain.com' returned 0x0
04/07/2016 08:45:05:244 NetpValidateName: name 'onbase.net' is valid for type 3
04/07/2016 08:45:05:244 NetpDsGetDcName: trying to find DC in domain 'domain.com', flags: 0x40001010
04/07/2016 08:45:20:244 NetpDsGetDcName: failed to find a DC having account 'SERVERNAME$': 0x525, last error is 0x0
04/07/2016 08:45:22:400 NetpLoadParameters: loading registry parameters...
04/07/2016 08:45:22:400 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
04/07/2016 08:45:22:400 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
04/07/2016 08:45:22:400 NetpLoadParameters: status: 0x2
04/07/2016 08:45:22:400 NetpDsGetDcName: status of verifying DNS A record name resolution for 'REMOTEDC.domain.com': 0x0
04/07/2016 08:45:22:400 NetpDsGetDcName: found DC '\\REMOTEDC.domain.com' in the specified domain
04/07/2016 08:45:22:400 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
04/07/2016 08:45:22:400 NetpDisableIDNEncoding: using FQDN domain.com from dcinfo
04/07/2016 08:45:22:400 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'domain.com' succeeded
04/07/2016 08:45:22:400 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
04/07/2016 08:45:25:884 NetpJoinDomainOnDs: status of connecting to dc '\\REMOTEDC.domain.com': 0x0
04/07/2016 08:45:25:884 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: domain.com
04/07/2016 08:45:25:900 NetpProvisionComputerAccount:
04/07/2016 08:45:25:900     lpDomain: onbase.net
04/07/2016 08:45:25:900     lpHostName: SERVERNAME
04/07/2016 08:45:25:900     lpMachineAccountOU: (NULL)
04/07/2016 08:45:25:900     lpDcName: REMOTEDC.domain.com
04/07/2016 08:45:25:900     lpMachinePassword: (null)
04/07/2016 08:45:25:900     lpAccount: domain.com\xxxxxxx
04/07/2016 08:45:25:900     lpPassword: (non-null)
04/07/2016 08:45:25:900     dwJoinOptions: 0x425
04/07/2016 08:45:25:900     dwOptions: 0x40000003


Powershell Script for AD count

$
0
0

Hi 

could you please someone tell me how do i get enabled an ad users count only for particular OU.

Thanks 

Surendhar.J

2008 Domain controller decom failed - Catastrophic failure

$
0
0

Hello,

When trying to run dcpromo on a 2008 RODC (first step of decommissioning) I receive the following error:

Failed to detect if Active Directory Domain Services binaries were installed.  The error was: Catastrophic failure

As a first step towards troubleshooting I have done the following:

Run chkdsk /r /f (Successful)

Run sfc /scannow (from command line as administrator) Failed with error:

Windows Resource Protection could not perform the requested operation.

I powered off the domain controller and attached the disk to another Windows 2008 server (as an e: drive) and ran the following command:

sfc /scannow /offbootdir=e:\  /offwindir=e:\windows  (Success!)  ..Found corrupt files and successfully repaired them...)

Unfortunately it looks like now the server is really poached.  Upon booting the server I am getting the error:

Windows failed to start.  A recent hardware or software change might be cause...

File: \Windows\system32\winload.exe

Status: 0xc000000e

Info: The selected entry could not be loaded because the application is missing or corrupt. 

Fixed this by inserting the installation disc, running a repair, from the command prompt I typed:

bootrec /rebuildbcd

Booted into the OS Successfully.  Ran DCPROMO.  Same error:

Failed to detect if Active Directory Domain Services binaries were installed.  The error was: Catastrophic failure

At this point I'm out of ideas.  Any suggestions??

LDAP SEARCH leading space problem

$
0
0
Hi all,

I have the following problem :

I'm moving from a LDAP Novell Directory to ADLDS (w2012R2)

I have a lot of client application which potentially do a LDAP search like this :

uuid= 123455 (please notice there is a BLANK caracter After the "=" equals sign

In novell this search request returns a result assuming novell is removing leading space as it is describe in RFC :

tools.ietf.org/html/rfc4518

Appendix B.  Substrings Matching

   This appendix is non-normative.

   In the absence of substrings matching, the insignificant space
   handling for case ignore/exact matching could be simplified.
   Specifically, the handling could be to require that all sequences of
   one or more spaces be replaced with one space and, if the string
   contains non-space characters, removal of all leading spaces and
   trailing spaces.

   In the presence of substrings matching, this simplified space
   handling would lead to unexpected and undesirable matching behavior.
   For instance:

   1) (CN=foo\20*\20bar) would match the CN value "foobar";




uuid is define like this in my ADLDS schema :

dn: CN=uuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
cn: uuid
adminDisplayName: uuid
adminDescription: uuid
instanceType: 4
lDAPDisplayName: uuid
attributeID:  1.3.6.1.4.1.4073.2.1.2.1
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
oMSyntax: 64
searchFlags: 0
systemOnly: FALSE

Is it possible to have the same behaviour in ADLDS ?

Thanks in advance for your replys

best regards

Marc

 







How to enable AD domain join over VPN network that has its own internet connection?

$
0
0

Hello,

I'm hoping you could help me out with something,

As I read in some articles, the preferred DNS HAS to be the one on the domain controller to be able to join the computers.

However in our case, the computers are distributed over small VPN networks, all connecting to the central firewall behind which the AD resides.

these computers have their own internet connection, but are joined to the central domain controller.

We want to be able to permit the domain join as well as leaving them the freedom of requesting whatever name resolution via say the google DNS.

however, if we set the primary DNS as google's, and the second as the DC's (config in the firewall), the domain join doesn't happen. also we cannot set a conditional forwarder on the firewall...

SO i'm hoping there's a workaround to this? help?

Thanks many

Hide a DFS Share?

$
0
0

Hi!

An organization here at my company are changing their name so they want me to rename their folder on the company network drive, it's a DFS-share. Of course I see a lot of support cases in front of me where Office-links and other references to the old name does not work any more.

My thought were to create a hidden DFS-share:

Hidden: \\Domain\NameSpace\OldName --> \\FileServer\MyShare

Visible: \\Domain\NameSpace\NewName --> \\FileServer\MyShare

This way old links would still work but the employees are creating new files in the NewName folder.

It does not seem that it is possible though, to create a hidden DFS-share. Is it?

If not, does anyone have any other good solution to my problem?

Thanks!

forest and domain functional level raise (2003 to 2008 R2)

$
0
0

I have done research and read the links below and the process seems straight forward. My questions are:

Do you raise the domain level first then raise the forest levels?

Can you raise one level and hold off to raise the other?

Is there a step-by-step guide that will walk a domain admin through this entire process?  

**NOTE** The Domain controllers will be 2012 R2 and the member servers will be between 2003 to 2012 OS platform, the plan is to raise the levels to 2008 R2.

Raise the Forest Functional Level

https://technet.microsoft.com/en-us/library/cc730985.aspx?f=255&MSPPError=-2147217396

Raise the Domain Functional Level

https://technet.microsoft.com/en-us/library/cc753104.aspx?f=255&MSPPError=-2147217396

How to raise Active Directory domain and forest functional levels in Win2003
http://support.microsoft.com/kb/322692

How Active Directory Functional Levels Work
http://technet.microsoft.com/en-us/library/cc739548(v=ws.10).aspx

Understanding Active Directory Domain Services (AD DS) Functional Levels
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

 

What is a Child Domain?

$
0
0

My domain name is domain.domain000.com but it is only a single domain.  All devices\users login or join domain.domain000.com.  The netbios name is domain.  There is a group policy applying "append these DNS suffixes (in order): domain.domain000.com. I am seeing lots of NETLOGON errors saying cannot find "domain".  

1. Is "domain" a subordinate domain of domain000.com? 

2. If so, then having a search suffix of domain.domain000.com will exclude domain resulting in my NETLOGON errors I am seeing

Is this correct?



Jason

DNS Records for Active Directory

$
0
0

I am just trying to understand the DNS Records associated with the Domain Controllers. Why does Active Directory have two "A Host" Records for each domain Controller. 

As you can see in the picture, DC1 has an IP Address of 192.168.0.3, same IP Address is assigned to another DNS Record with the name of "(Same as parent Folder)", which i assume is also for DC1... Why have two same DNS Records for one host-name. This is very strange or am i missing something. 

AD Computer permission inheritance

$
0
0

Hi there,

In Active Directory, I've set a 'SELF' permissions entry on our workstations OU so that all workstations have permissions to write to:

msTPM-OwnerInformation
msTPM-TpmInformationForComputer
ms-Mcs-AdmPwd
ms-Mcs-AdmPwdExpirationTime

This applies to: Descendant Computer objects

The issue is however that computers do not inherit this permission and thus the required applications (LAPS and AD Bitlocker Recovery) don't function. How can I enable all computers to inherit permissions from their parent OU's?

Screenshots


How to find Computers with Trust relationship

$
0
0

Hi,

I work in an Organization where there are over 10000 PCs in the domain. These PCs are spread over a 1000 different locations.

The problem I am facing is that many of these PC's are having Trust relationship issues but I dont have a list of PC's which are having this issue. The users are able to login to the domain account in these PC's and Group policies also seem to work in many of these PC's .

We have a Technical Support team. If I were to give them the list of machines having Trust Relationship then they could go and remove the machines from Domain and rejoin the machine to Domain. But the problem is I don't have such a list. Is there any way to get a list (maybe a script) of all the machines in the domain that are having trust relationship issues. Since the number of machines in the organization is very large so trying to find out manually is out of the question.

I think 5% to 10 % of PC's are having this issue. Also is there a way to repair trust relationship in PC centrally instead of sending Technical Support to each office to repair individual PC's.

Use schema extensions of Exchange 2013 to get more attributes for users

$
0
0

Hi Everyone,

First Sorry for my bad English (i am French)

I need to had adittionnal attributes for the user class in my Windows 2012 r2 Forest

I think one of the most easy (and secure) way to do this is ... to use the schema extensions of Exchange 2013
I mean the "extensionAttribute" and "msExchExtensionCustomAttribute" that the schema extensions of Exchange 2013 provide

I can achieve this with the commande "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms"

But ... I don't want to add ... ALL ... the new attributes of Exchange in my forest cause ... i will not use Exchange

So ... i see that there is a lot of ".ldf" files in the sources of Echange 2013 so :

- Which one did i use to add only the "extensionAttribute" and "msExchExtensionCustomAttribute" ?

- And which command please ?

Thanks !!

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>