Has anyone in the community experienced issues in environments where a Riverbed Stealhead 'RODC' has been deployed ? is there anything which needs special attention ? from what I understand it does not advertise itself as a DC and does not directly service authentication requests.
↧
Riverbed Stealhead RODC Issues ?
↧
Active Directory replication works if member of enterprise admins
Hi all,
we have a windows server 2008 R2 domain that's running on forest and domain level of 2008 R2.
as part of our initiative to promote our active directory to 2012 R2, we started by adding 2 2012 R2 domain controllers to the root domain and 4 to the child domain.
Note: I am logged in with a domain admin account and running cmd with alivate priviledges (Right click Run as administrator)
now I am not sure if this replication issue started after the introduction of those domain controllers or it was there before then. however we are experiencing a replication issue that seems to be security related, because it doesn't happen my account is a member of the enterprise admins, and it happens when I remove my account from the enterprise admins group.
the error is somethin like this:
SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: LongGUID._msdcs.DomainName.com
To : LongGUID._msdcs.DomainName.com
Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: LongGUID._msdcs.DomainName.com
To : LongGUID._msdcs.DomainName.com
Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: LongGUID._msdcs.DomainName.com
To : LongGUID._msdcs.DomainName.com
all ideas and comments are welcomed.
Thanks
Mohsen Almassud
↧
↧
AD DS BPA Data Collection Error
Hey all,
we recently virtualized our 2008 R2 domain controller, and overall the process has been pretty smooth. There is one ongoing error that I've had difficulty weeding out. The Best Practices analyzer for the Active Directory Domain Services role is showing the following error information:
----------------
Issue:
The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about Group Policy Results setting "Deny access to this computer from the network" from the domain controller CDS-DC.
Impact:
The AD DS BPA will not be able to validate configuration data about Group Policy Results setting "Deny access to this computer from the network".
Resolution:
Troubleshoot the domain controller CDS-DC to determine the root cause of the problem.
----------------
I've done a good bit of research, but haven't managed to find any helpful information on the nature of this error or the best method for resolution. Thanks in advance for any help!
↧
I am getting Schannel 36888 and 36874 errors on our Active Directory servers...?
We do not have IIS installed on these servers - what is throwing this weird error every five seconds? How can I fix it?
36888: The following fatal alert was generated: 40. The internal error state is 1204.
36874: An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
This is only happening on two of our seven AD servers... All running 2008 R2.
↧
Subdomain permissions
Hi,
I've got a domain domain.lan which is the top level domain, and a subdomain dmo.domain.lan. What I'm trying to achieve is that the members of dmo.domain.lan only has access to resources in domain.lan if they've been specifically granted access. As it is now if you're a member of domain users in dmo.domain.lan, it's the same as beeing a member of domain.lan.
Anyone who could point me in the correct direction for setting up this?
↧
↧
New LDAP Connection URL
Hi Team,
We are using Active Directory for Users management. We required to create ldaps for Oracle Application.
We required to create 3 different LDAPS for Test, Verification and Prod. Like tldap.test.com, vldap.test.com and pldap.com.
Is there any possibility to create 3 LDAPS in One AD domain. If possible, please help me, some steps.
Thanks in Advance.
//Bala R
↧
Domain upgrade to 2012 R2 - Post changes question
Hello,
I'm about to the demote from my infrastructure the last domain controller still running 2008 R2.
On this last DC there's an uncontrollable list of applications and services that are configured to use his IP address (mainly IP) for LDAP QUERIES.
Since things grew without control, despite major applications were already migrated, we cannot guarantee that everything (ldap and dns queries) ares migrated from this DC to the new ones..
After demoting I'm considering creating a reverse PTR record point his IP address to the name of one of the new DCs (2012 r2). And also create a CNAME record point his name to a name of one of the new DCs.
Is there any problem on creating this new records? the old machine will be demoted, renamed and turned off
ty
↧
Delegating rights to create A records only?
We have a customer who is in need of creating A records only. Therefore, DNSAdmin is too carte blanche for our tastes.
Is there a more granular way to grant the ability to create A records only, while still protecting the rest of our DNS?
Edit: I've read and researched and saw that the option for create child objects should grant this ability, but also may need an ACL permission. Does that limit to only A records? If it's for any record or zone then we may need to compromise and accept as it's still less than DNSAdmin.
Any thoughts?
↧
Cleaning Active director 2008 R2
friends i want to clean my AD which is based on 2008 R2.
We configured this AD for an hosted exchange environment and created few tenants and now the hosted exchange is no more.. but i am using this AD for my hyperV cluster. because of this my AD is preety messed up. I want to delete the users / computers which are not in use or disabled.
the command which i am getting to delete an organization will only run on hosted exchange which is no more there. so how can i clean my AD and bring it back to better health.
Thanks, Happiness Always
Jatin
↧
↧
I getting Bad host Error/ SCCM Team not able to Deploy package on some client machine
When my SCCM Team Deploying any package on client machine they are getting bad host error or deployment getting failed. I have diagnosed the issue and i checked client machine entry in DNS As per the DNS entry A record is correct but in reverse lookup zone the same IP is bind with another host. For Example- I want to deploy package on Client1 with ip address 10.0.0.1 but package failed when i ping this machine with host name i am getting correct reply but when i am ping this machine with ip address (Ping -a 10.0.0.1) it showing another hostname bind with this ip address (Client2).
(In Forward lookup Zone Client1 10.0.0.1 A Record
In Reverse lookup Zone 10.0.0.1 Client2 PTR Record)
I have checked my DNS Entries, The A record is correct but PTR record is incorrect (Same IP address bind with another host name)
Once i delete the PTR record the issue is resolved and packed deployment is successfully.
I am getting this issue very frequently in my environment but i am not able to understand why PTR record is creating incorrectly.
There are multiple DHCP Server with different IP Address range available in my environment.
↧
Monitor Windows 10 Active Directory Based Activations
Hi,
I've recently implemented Windows 10 Active Directory Based Activation and entered our KMS-key. VAMT has been installed as well as its feature under RSAT. When I check the activated computers usingslmgr /dlv I can confirm that they have been activated using ADBA. However I can't see this using Volume Activation Tool on the Domain Controller.
Is there not any way that I can monitor our currently activated clients, as was possible in older versions of VAMT?
Thanks in advance!
↧
Windows Server 2008R2, D.C. and A.D. Certificate Services
Hi
I've got D.C. with A.D. Certificate Services installed.
Below Certificates of this server will expire i 25th of may. Will they renew automatically?
1.
Issued to:Server1
Intended Purposes: <All>
Certificate Template: Root Certification Authority
2.
Issued to:Server1
Intended Purposes: Client auth, server auth
Certificate Template: Domain Controller Authentication
and a few more...
Thank you for help!
Kind Regards Tomasz
↧
Membership of Windows Authorization Access Group
Hello.
Im trying to add some computer Accounts to said group. I do so and restart the server.
I then check on the server with "gpresult /r /scope computer" the security group membership of the computer and i cant see the Windows Authorization Access Group listed there. Other groups of which the server is member of however are listed there.
Is this the correct behavior? How can i check from the server itself if he is a member of the group?
↧
↧
2012 Domain controller with same name
Hi,
i am getting ready to introduce a new 2012 domain controller, i want to keep the same name and ip for dns and incase some applications are using the name of the server instead of the FQDN for ad authenticated applications.
this is what i am attempting to do
functional level at the forest and domain is 2003, is it best to move it to 2008 r2 before performing these steps?
1. Build temp VM and dcpromo this server with DNS
2. Swap primary DNS and temp DNS ip address ( so temp ip has the primary ip dns.)
3. transfer FSMO roles off server to a different DC
4. DCPROMO old 2008 r2 DC back to member server
5. remove server off domain(clean up check anything in sites and services and ntdutil for that name)
6. rename 2012 server as same name
7. Add ADDS role and promote to domain controller
8. Swap IP with temp Server
9. DC promo Temp 2008 VM and remove server
↧
Service Control manager event: DNS server service enters stopped state
Our Windows Server 2012R2 domain controller DNS server service enters a stopped state every other day and does not restart unless the service is restarted. Event logs show that Service Control manager records Remote registry service enters stopped state and restarts along with Smart Card Device Enumeration service, WinHTTP wb Proxy Auto-Discovery service, Windows Update Service, Device setup manager service, Windows Error Reporting service, Shell Hardware Detection service. I have uninstalled our TrendMicro A/V but this did not make a difference as this morning, several services have already entered a stopped state.
Troubleshooting the NIC will be my first attempt but has any admin seen multiple services quit on a daily basis?
↧
Random domain users having password issues
This is my first post and I'm not sure if this is the right forum for this issue...
I have 30+ users in our domain (DC is a Server 2012 R2) . A few weeks back I had a user come in on a Monday morning and he couldn't log into his workstation -password wasn't working. I logged into our domain controller and his account seemed fine, wasn't locked, and nothing was showing in event logs pertaining to his account. I reset his password and he was able to log in. Subsequently, every Monday morning he is having the same problems.
Then, a different user on a different day started having the same problem. Now each week, i have the same 2 users with the same problem.
NOW, I have 4 people total with this problem. One of them is on a laptop and only comes into the office every week or so. It appears that they are only having this issue once they get into the office and connect to the network.
I'm completely lost and don't know what to do. I've tried searching online and can't find anything related. Maybe I'm not searching for the problem correctly? At any rate... I need help and don't know where to start.
↧
Issues demoting 2012 R2 DC - transferring roles
I have a Server 2012 R2 machine I want to demote transferring all roles to another DC in the domain but am having some difficulties transferring the roles.
In Server manager the AD DS section has a warning, 'Configuration required for Active Directory Domain Services at <VM name>
Clicking More... gives a Post-deployment Configuration action of 'Promote this server to a domain controller'
When trying to remove ADDS Role:
The Active Directory domain controller needs to be demoted before the AD DS role can be removed.
Used AD DS Services Configuration wizard to demote. Fails with:
Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=main,DC=eas2012,DC=local to Active Directory Domain Controller <FQDN here>.
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
I found event ID 2022 in the Directory Service event log which says: The operations master roles held by this directory server could not transfer to the following remote directory server ... This is preventing removal of the directory server.
I tried following instructions from http://www.itnotes.eu/?p=246 to manually transfer operations master roles but got:
Move-ADDriectoryServerOperationMasterRole : The directory service is unavailable
In Server manager the AD DS section has a warning, 'Configuration required for Active Directory Domain Services at <VM name>
Clicking More... gives a Post-deployment Configuration action of 'Promote this server to a domain controller'
When trying to remove ADDS Role:
The Active Directory domain controller needs to be demoted before the AD DS role can be removed.
Used AD DS Services Configuration wizard to demote. Fails with:
Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=main,DC=eas2012,DC=local to Active Directory Domain Controller <FQDN here>.
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
I found event ID 2022 in the Directory Service event log which says: The operations master roles held by this directory server could not transfer to the following remote directory server ... This is preventing removal of the directory server.
I tried following instructions from http://www.itnotes.eu/?p=246 to manually transfer operations master roles but got:
Move-ADDriectoryServerOperationMasterRole : The directory service is unavailable
↧
↧
NET USER -password expires not showing the password expire time
We have a fine grained policy with max pwd age as 14 in test environment. I added a test user to the password policy group and I ran the NET USER username \DOMAIN command, the password expires values is still showing as never. What am I missing? screenshots attached.
↧
firewalls with router
I have firewall behind router in my network and router is device (small) facing internet.. suppose i have static ip given by service provider which is 1.2.3.4... only live/static ip to use...how and where will i have to configure port forwarding for ipsec client vpn which is configured on my server 2008 r2. as vpn clients will need live/static ip to dial from remote location. Between router and my server/lan there is firewall which will also need any ip on its wan interface...
Adnan sabir
↧
Active Directory Forest & Time Server/resync
Hi Guys,
I have built a small Active Directory Forest with a few member servers on 2 physical Hyper V servers. They currently sit on a development test network which is "air gapped" from the rest of world/network. Firewalls either side etc... and nothing in and out including a valid time server...
The idea is too eventually move the forest with the member servers into the live network which will have the required firewall ports opened to connect to a valid time server etc...
My question is, what will happen to the rest of the domain (clients and servers) when the PDC is reconfigured to connect to the new valid time server and its time is updated? will the member servers, other domain controllers & clients instantly update their time to the new correct time or will they be trouble because they will now be behind the PDC/domain controllers?
The current time setup is:
PDC = Free running clock
2nd DC = PDC
Hyper V 1 = 2ND DC or PDC
Hyper V 2 = 2ND DC or PDC
Member servers - integrated hyper v time sync (Hyper V servers)
So from the above the PDC is holding the time and the rest will eventually pull the time from it (either directly or via 2nd DC or hyper v server) but my worry which I am already seeing is the PDC is losing its time and by the time it will be in place to connect to a valid time source it could be up to 5mins behind from the real world time.
So in short:
If my forest time is 5-10mins behind and I connect the PDC to a valid time source and resync, will my other servers/clients be in trouble because they will now be quite far out?
I hope this makes sense
Thanks..
↧