Dear all,
I have one RODC in a DMZ secured by certificates. I need to protect the ntds.dit or get some way
to reduce the fields that sincronize the RODC. The problem is, if some user get access to the server
he can read the ntds.dit and get membership information, email address and so one.
Is any way to protect the RODC of that?
Can i limit the externals querys?
Thanks
Eugenio
Hi,
I want to move my active directory domain controller to new domain controller, I mean i want to shift from abc.local domain to xyz.com domain controller. Is it possible? if so than how it can be done?
Thanks and Regards,
Tayyub
We have setup a new DC in our 'AD site and Services' and this DC is generating following error every time we manually choose 'Replicate now' option between this DC and other DC.
Hello,
I'm about to the demote from my infrastructure the last domain controller still running 2008 R2.
On this last DC there's an uncontrollable list of applications and services that are configured to use his IP address (mainly IP) for LDAP QUERIES.
Since things grew without control, despite major applications were already migrated, we cannot guarantee that everything (ldap and dns queries) ares migrated from this DC to the new ones..
After demoting I'm considering creating a reverse PTR record point his IP address to the name of one of the new DCs (2012 r2). And also create a CNAME record point his name to a name of one of the new DCs.
Is there any problem on creating this new records? the old machine will be demoted, renamed and turned off
ty
I'm applying Update Rollup 3 for ADFS 2.0 to address an problem I'm having related to Issue 3 in the KB https://support.microsoft.com/en-us/kb/2790338. I have 2 internal ADFS servers and 2 external proxy ADFS servers. Do I need to apply the rollup to all 4 ADFS servers or only to the ADFS mgmt server of each cluster?
Thanks
Bruce
We have a software that works on workstation that is a member of another domain in another forest.
When this software starts it connects to our domain and checks user's group membership with api function Getgroups.
Sometime domain controller returnes all groups to wich user belongs but sometime not all groups but only part of them.
Our forest is devided into several sites and some sites are behind firewall. I think that the problem can be because of the inaccessible controllers, but why sometime method Getgroup returnesony part of domain groups to wich user belongs to?
When this software works on PC in our domain everything is all right.
I do understand that it is a difficult question.
Thank you.
We have an AD environment with a KMS server activating Windows and Office products. Recently we deployed 2 Windows Server 2012R2 Virtual Machines and these particular 2 guests will not activate. They can reach our KMS server and we can install keys on them. However, when we go to activate them we get "permission denied". I have pulled the machine out of the domain and added it again and get the same result.
We have:
Running slmgr.vbs /ato from an elevated command prompt gets: "Error 0x8000700005 Access denied: the requested action requires elevated privileges."
Just to clarify, we get the Access denied result from the KMS server when we try to remotely activate this server. I'm at a loss and looking for something I might have missed. DCOM permissions have also been looked at and verified.
Additonally I have tried:
"To work around this issue if you use a MAK, reactivate the system during the "Out of Tolerance" grace period by using online activation or telephone activation. To work around this issue if you use KMS, restart the computer. Or, type the following command at a command prompt, and then press ENTER: slmgr.vbs -ato"
Running slmgr.vbs /ato results in "Access Denied" from the local machine no matter if it is ran from an elevated command prompt or not.
This may need to go into a different category as it has to do with licensing. please move to the appropriate group as needed.
Thanks,
Thanks, Jeff Newbill
Good day.
We would like to achieve the concept of setting user permission at Active Directory level rather than at application level, whereby:
1) At Active Directory, set up two users (User1 and User2).
2)
Create a Windows Form Application, having the main form with two buttons (Btn1 and Btn2).
3) Create application behaviour as below:
- User1 click on Btn1 on main form. (allowuser1 to navigate to form1 and prompt message. "Authorised").
- User1 click on Btn2 on main form. (disallowuser1 to navigate to form1 by prompting message "Not Authorised").
- User2 click on Btn1 on main form. (disallowuser2 to navigate to form1 by prompting message "Not Authorised").
- User2 click on Btn2 on main form. (allowuser2 to navigate to form1 and prompt message "Authorised").
Please assist on what should be configured at Active Directory to achieve the above?
Thank You.
Viknes Raj
Hi all,
We are going to build an extranet with sharepoint.
Customers should be added to our active directory but they may only be member of 1 specific AD group, they are not allowed to be part of any other groups as they provide access to things that do not mather to them.
Is it possible, without creating a new domain to do this somehow ?
Our active directory is 2012.
thanks
Dear Experts,
Due to come security concerns, we have been tasked to security harden our Windows 2008 R2 Domain Controllers. As such, have a few qs that i need some advice on. We currently have 2 DCs replicating with one another.
1) We are intending to apply security hardening on 1 DC local policy only for the start. Would changing the local policy ( Password, Account, Audit, UAC, Security Options, User rights assignment) etc affect the default domain controller policy ?
2) Does making changes on the DC local policy affect the other DC as well ? We need redundancy in case.
3) Would there be a conflict if we set a local DC policy and be overidden by the default Domain Controller policy ?
4) Any impact on the other member servers, clients who arre authenticated by the 2 DCs ?
Pls advise. Thanks so much.
I am trying to clean up some external domain trust issues. The trust has been removed from one side of the trust, but I cannot remove the trust from the other side. I have domain admin logins in both domains. The domain abc.com still shows def.com as both an incoming and outgoing trust, but def.com does not show abc.com as any type of trust. This appears to be in the GUI only, as it does not appear to be in ADSIedit as a trustedDomain object under CN=System in abc.com.
Any ideas on how to remove it.
Hi
I have inherited a VAMT 2 server from our previous network manager and have no documentation on this. I was wondering if anyone could explain how it works.
When i open the tool there are no computers listed, but i can import a list of computers saved previously and it show some of the machines we have. When machines are added to the domain, they activate against the server automatically but i am trying to understand how. Is it the VMAT tool they activate against? they are not automatically added to the list but they are activated? I can see a DNS record for vmat so i understand this is how clients find the server but not how to manage them.
Thanks
Shane
Hi All,
I have 2 DC's that are currently running Server 2008 R2. I am planning on upgrading these in the near future, but am wondering if it might make more sense to just wait until Server 2016 is available later this year and jump straight to that.
I appreciate server 2016 is only in the technical p[review atm, but I am wondering if anybody might have any idea if this is even going to be possible? Or would we need to upgrade to 2012 first before upgrading to 2016 anyway?
Any thoughts would be appreciated.
Cheers,
Simon
Hello,
I am working on a downsizing of the AD environment for my client, they have given me a text file of 200 users to disable. The DC is running 2008 Enterprise SP2, I do not have access to RSAT or AD modules for powershell.
I have tried to create a .ps1 file and run this using a .bat but am unfamiliar with the dsmod commands.
I was trying something along the lines of:
FOR /f %%i in(c:\User\rlora\Documents\bulk.txt)do(
dsmod user "%%i"-disabled yes)
Hello All,
I have script to find the AD schema attribute for the all object
dsquery *"cn=Schema,cn=Configuration,dc=MyDomain,dc=com"-Filter"(objectClass=attributeSchema)"-AttrLDAPDisplayName rangeUpper -Limit0>Report.txt
Can any one help in modifying the script or provide the script to extract object wise such user, computer printer etc
thanks in Advance
Aamir
NA
AD on Win 2012 R2
I'm working in an isolated sandbox with a test AD server and a Win 7 workstation running Office 2013. I am new to AD and LDAP, but quite proficient in VB and VBA (and C# for that matter).
The automation error I get might have to do with an invalid LDAP reference. That's all I could dig up.
automation error -2147463155 8000500d
The overall objective is to update Active Directory fields using rows of user data in an Excel spreadsheet and VBA. I loop through each Excel Row and get the email address, and then I do a query through ADODB to get the ADsPath of a user with an AD query using email address which is unique:
Set conn = new ADODB.Connection conn.Provider = "ADsDSOObject" conn.Open "Active Directory Provider" Set cmd = New ADODB.Command Set cmd.ActiveConnection = conn cmd.Properties("Page Size") = 1000 cmd.Properties("Timeout") = 30 cmd.Properties("Cache Results") = False cmd.Properties("Chase Referrals") = &H20 Or &H40 cmd.CommandText = "LDAP://DC=mydc1, DC=mydc2,>;(&(objectCategory=person) (objectClass=user) (mail=" & srcEmail & "));ADsPath;subtree" Set rs = cmd.Execute If rs.BOF and rs.EOF Then ' no AD record returned, so write out an error in the spreadsheet wsData.Cells (i, STATUS_COL) = NOTFOUND_ERR Else rs.MoveFirst userDN = rs.Fields(0).Value Set thisUser = GetObject(userDN)
' so far so good, the userDN was returned as follows, and the GetObject function threw no errors: 'LDAP://CN=mylastname\, Bill, OU=Users,OU=Information Services,OU=Finance,DC=mydc1,DC=mydc2'
' Now comes the problem thisUser.Put "Employee-Number", wsData.Cells(i, SRC_EMPLOYEEID_COL) '<<< This throws the automation error ' I tried to use a Get just to see if maybe I was able to do a read, but not a write, but it didn't work either adEmail = thisUser.Get("email") '<<< This also throws the same automation error ' ' ' thisUser.SetInfo '<<< I never make it to here
I am at a loss given the fact that the query to return the AdsPath works fine, but it seems the path it returns is invalid.
Thanks in advance for your help.
Bill
Hi everyone and thanks in advance by your help.
I have a 2003 domain (DDL and FFL = 2, previously 1) with two dc's, both are 2003, static IP (only IPv4), DNS pointing to itself on each one.
When a try to add a 2012r2 to the domain, this message pop up:
"An Active Directory Domain Controller (AD DC) for the domain “mdq.quarters.xxxxxx.com” could not be contacted"
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "mdq.quarters.xxxxxx.com":
The query was for the SRV record for _ldap._tcp.dc._msdcs.mdq.quarters.xxxxx.com
The following domain controllers were identified by the query:
cliper.mdq.quarters.xxxxxx.com
cliper3.mdq.quarters.xxxxxx.com
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
2012 Server DNS point to cliper ip and I can ping by FQDN with no problem to any DC on the domain.
I've checked with portqry the ports required by AD, and all looks fine, I can connect with all ports on both dc's.
All three servers are conected to the same switch.
DCdiag on both Dc's does not show any errors ( I run dcdiag /V /C /D /E /s:cliper.mdq.quarters.xxxxxx.com and dcdiag /e /v /test:dns)
repadmin /replsummary neither show any errors
I've searched a lot, and I´ve tried and tested a lot to and now I'm really run out of ideas.
Any one have a clue please? I'm really desperate :-(
Diego
Hello,
I've installed ADFS 2.0 Proxy on a Win2008R2 server. The first screen checks for the Federated Server, for which I type in "adfs.domain.org" and that gives me a success. So I know communication is working between them. The next page asks me to put in credentials to establish a Trust between the federation server proxy and the Federation Service. Since the Federated Server is in a Farm setup, I am using a service account, so I type the username as "domain\adfsservice" along with it's password. As soon as I hit Ok, I get the "FspConfigWizard.exe has stopped working", along with the following details. Can anyone please tell me what's going on. I've installed this on two separate Win2008R2 servers and still get the same problem.
Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: fspconfigwizard.exe
Problem Signature 02: 6.1.0.0
Problem Signature 03: 4bcfd422
Problem Signature 04: mscorlib
Problem Signature 05: 2.0.0.0
Problem Signature 06: 53a11de1
Problem Signature 07: 4224
Problem Signature 08: a9
Problem Signature 09: System.ComponentModel.Win32
OS Version: 6.1.7601.2.1.0.272.7
Locale ID: 1033
Any help or advice is appreciated. Thank you!
-Sau