I have a windows server 2008 R2 functional level domain with two DC's - windows 2008 r2 and windows 2012 r2. Up until Monday of this week everything worked fine. I migrated our exchange system from exchange 2007 to 2010 about three weeks ago.
Still everything was fine. But this week all of a sudden we had issues with users connecting to a couple of db servers (2000 standard and 2003 server). From the network pinging the server works fine but sometimes it would not work. From the
servers they will all of a sudden stop pinging certain other servers but not all. My main concern is that I think active directory is inaccessible at times for these two server. If I do a 'arp -d *' then the ping will work and I am able to see
resources on the domain. When the ping does not work to the DC I cannot connect to resources. The arp clear will fix it momentarily but the issue always comes back. I have also noticed that my windows 10 pc was not running my login script
a few weeks ago because all my drive mappings were missing. I usually could get to them by using unc paths. After shutting down these two troubled servers I rebooted my pc and I notice my login script runs fine - every time. Any ideas?
I have moved all server to their own switch and then back again to no avail.
↧
Windows 2000 server and windows XP woes
↧
Installing gMSA on a server without AD cmdlets
I created a managed server account and gave "SERVER1$" rights to retrieve the password. I then tried to install the service account on server1, only to find that the command requires the active directory cmdlets. No problem, I thought! I imported a session from a random domain controller:
$ActiveDirectorySession = New-PSSession -ComputerName DC01
Invoke-Command -Session $ActiveDirectorySession -ScriptBlock {Import-Module ActiveDirectory}
Import-PSSession $ActiveDirectorySession -Module ActiveDirectory
Then I tried to run the install command:
Install-AdServiceAccount -Identity Server1MSA
But it failed!
Cannot install service account. Error Message: '{Access Denied}
A process has requested access to an object, but has not been granted those access rights.'.
+ CategoryInfo : WriteError: (Server1MSA:String) [Install-ADServiceAccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveDir
ectory.Management.Commands.InstallADServiceAccount
+ PSComputerName : DC01
Initially I thought that I hadn't granted the permissions correctly, but then I saw the problem:
+ PSComputerName : DC01
Because I imported the cmdlets, the command of course runs on DC01. So, how am I supposed to install a gMSA for a computer that doesn't have the AD cmdlets? I'm REALLY not in favour of installing the AD module on all my servers, and even if I install and later uninstall the cmdlets, would that suddenly make them break?
↧
↧
Error when attempting to change password: "The security database on the server does not have a computer account for this workstation trust relationship."
The error message I'm seeing is "The security database on the server does not have a computer account for this workstation trust relationship." There's nothing wrong with the trust relationship and I have removed a computer from the domain, deleted the AD account, and re-added it to the domain successfully and I still get the same message but only when I am trying to change my password. Below are all the things I have tried unsuccessfully:
- Removed the computer account from the domain, deleted the account, and re-added the computer to the domain.
- Tested with domain admin account.
- Tried changing my password logged in directly into a domain controller.
- Issue occurs both on manual password change or forced password change.
- Copied existing account and tried changing the password.
- Created brand new (not copied) account in AD and tried changing the password.
- Tried resetting password on multiple computers.
- Removing Windows updates mentioned online that may cause this issue.
The only things that have worked are:
- Changing a local user account's password.
- Changing a domain account password via AD Users and Computers.
Our workstations are Windows 7 SP1 and our servers are Windows 2008 R2 SP1.
Christopher
↧
Not able to view attribute editor tab in AD on 2003 server
Not able to view attribute editor tab in AD on 2003 server, Even after enabling Advance Feature option from View. Attribute editor option on user property is not visible.
Also after browsing the user exact path attribute editor is not visible.
↧
How to use audit account(account with audit role) to connect to the servers,
Hello,
I have created Audit account in CA domain controller, so I have account to view logs and some other responsibilities as a Auditor, but I'm not able to connect remotely(RDP) and also I'm not able to physically because of CA policy I don't have physical access.
My question is How I can use audit account. is there any oficial MS tool to connect as auditor to just view logs and so on?
thank you in advance
best regards
Roman
I have created Audit account in CA domain controller, so I have account to view logs and some other responsibilities as a Auditor, but I'm not able to connect remotely(RDP) and also I'm not able to physically because of CA policy I don't have physical access.
My question is How I can use audit account. is there any oficial MS tool to connect as auditor to just view logs and so on?
thank you in advance
best regards
Roman
↧
↧
How to migrate Active Directory from Azure Active Directory to on-premises Active Directory
My customer is using Azure Active Directory and now want to have on-premises Active Directory server. How can we setup on-premises AD server, integrate with Azure AD, do the migration e.g. User Accounts & Computer objects, and then do the decommission for Azure AD ?
↧
LastLogin Time Stamp or LastlogonDate
Hello All,
In our Forest, we have 4 domain, All the Domain Controller are running 2012 R2 and are GC
We have implemented Cisco Any Connect for VPN, Cisco box is configured with only one Domain DC's IP and Hostname.
Users from other domain are getting authenticated with out any issues and can connected remotely, but lately when we run the user inactive script, we see many users are mark as inactive due to lastlogin stamp and lastlogon are not updated.
Due to limitation on Cisco box we can't add all the DC's IP andHostname from other domain, I am just checking how to update or refresh the attributes so it can get updated to all DC's which will not mark active users as inactive.
Or any other attribute, which can consider to mark users as active.
Thanks HA
↧
Not all groups returned by domain controllers of another forest
We have a software that works on workstation that is a member of another domain in another forest.
When this software starts it connects to our domain and checks user's group membership with api function Getgroups.
Sometime domain controller returnes all groups to wich user belongs but sometime not all groups but only part of them.
Our forest is devided into several sites and some sites are behind firewall. I think that the problem can be because of the inaccessible controllers, but why sometime method Getgroup returnesony part of domain groups to wich user belongs to?
When this software works on PC in our domain everything is all right.
I do understand that it is a difficult question.
Thank you.
↧
Old Certificate on Domain Controller
Hello
I have 4 domain controller, 2 old and 2 new. But the 2 new domain controllers can't seem to replicate the system OU from the old ones. After some troubleshooting I think I might have found the error, which was that the 2 old server was running a certificate which the 2 new ones couldn't get since the certificate server is dead. So my question is can I remove the certificate on the old server without damaging the Active Directory (Or other things I might have missed).
I have 4 domain controller, 2 old and 2 new. But the 2 new domain controllers can't seem to replicate the system OU from the old ones. After some troubleshooting I think I might have found the error, which was that the 2 old server was running a certificate which the 2 new ones couldn't get since the certificate server is dead. So my question is can I remove the certificate on the old server without damaging the Active Directory (Or other things I might have missed).
↧
↧
Recent Java Updates not applying over group policy
We currently use a Windows server 2008 R2 domain controller over our local network. We've been updating Java packages through the Group Policy or over a year now with no issues. However, the most recent update (Version 8 update 72 as of this post) refuses to apply. On my workstation, I was able to pull the update down, but no other user in the entire company can get it. I feel I have all the proper permissions set up, and the package was added to the update policy and set to update the previously pushed package of v8u65. Is there a setting I need to change, or apply, in order for this update to take effect?
We use an intranet site that makes heavy use of Java tables that the users cannot access without getting the Java update prompt, which for some reason is coming up despite the proper settings applied in the update policy as well
↧
Losing AD and other services approx every 6 days
A number of months ago I did a migration from SBS2003 to Server 2008R2 - Small stand alone business with one DC. Following procedures and while I had some issues all appeared to be resolved. (SBS box had to be retired due to hardware issues and is no longer available). The DC is XXX-DC2 and the domain in QQQQQQQ.local - see below
An issue has been occur where by AD is not accessible - other services which depend on AD don't function either. If I reboot server everything works again. about 6 days later the same thing happens again and I reboot again and so on.
I have looked at everything and cannot get to the bottom of the problem. Any suggestions would be appreciated.
Here is some of the troubleshooting I have done both whe AD is running and when it is down.
AD Running
Check current fsmo role owner
C:\Users\Administrator.QQQQQQQ>netdom query fsmo
Schema master XXX-DC2.QQQQQQQ.local
Domain naming master XXX-DC2.QQQQQQQ.local
PDC XXX-DC2.QQQQQQQ.local
RID pool manager XXX-DC2.QQQQQQQ.local
Infrastructure master XXX-DC2.QQQQQQQ.local
The command completed successfully.
Check number of dc's in domain
C:\Users\Administrator.QQQQQQQ>netdom query dc
List of domain controllers with accounts in the domain:
XXX-DC2
The command completed successfully.
Check the currently logged on user
C:\Users\Administrator.QQQQQQQ>set u
USERDNSDOMAIN=QQQQQQQ.LOCAL
USERDOMAIN=QQQQQQQ
USERNAME=Administrator
USERPROFILE=C:\Users\Administrator.QQQQQQQ
check current logon server
C:\Users\Administrator.QQQQQQQ>set l
LOCALAPPDATA=C:\Users\Administrator.QQQQQQQ\AppData\Local
LOGONSERVER=\\XXX-DC2
AD not Running
C:\Users\Administrator.DEMPSEY>hostname
XXX-DC2
Check currently logged on user
C:\Users\Administrator.QQQQQQQ>set u
USERDNSDOMAIN=QQQQQQQ.LOCAL
USERDOMAIN=QQQQQQQ
USERNAME=Administrator
USERPROFILE=C:\Users\Administrator.QQQQQQQ
Check current logon Server
C:\Users\Administrator.QQQQQQQ>set l
LOCALAPPDATA=C:\Users\Administrator.QQQQQQQ\AppData\Local
LOGONSERVER=\\XXX-DC2
Check current fsmo role owner
C:\Users\Administrator.DEMPSEY>netdom query fsmo
The RPC server is unavailable.
The command failed to complete successfully.
Check number of dc's in domain
C:\Users\Administrator.QQQQQQQ>netdom query dc
The name limit for the local computer network adapter card was exceeded.
The command failed to complete successfully.
C:\Users\Administrator.QQQQQQQ>netdom query dc
he name limit for the local computer network adapter card was exceeded.
The command failed to complete successfully.
↧
Permissions on users
I have a shared folder called home$. It contains sub-folders for different users. How can I make sure that one user does not have access to the other users folder but the user has permissions on his/her folder.
↧
Error 1311 no logon server
Hi, We have an issue for 2 weeks now that we cannot solved. We have a site where they have a local Windows domain running on a Windows Server 2003. We were asked to install a new server for running Remote Desktop Services. The new server was installed and his running Windows Server 2012 R2.
If this new server is on the network but not joined on the domain we can PING the domain.local name and also the IP address just fine. NSLOOKUP is also working fine.
Once we joined this new server on the domain we can no longer PING the domain.local. NSLOOKUP still work thought. If we tried to configured anything related to the domain like adding user or configuring the Remote Desktop services we get the error "no logon server".
Since we were able to ping the domain.local name when not joined we've removed the server from the Domain. Again we were able to ping the domain.local. Even though the DNS work fine we've edited the host file to point the domain.local to the right IP. I've put a mix of Upper and lower case in the name so when i now ping the domain name i can see that the IP is resolved from the host file. We've then joined again the server on the domain and try to ping. Again it's not working. Always the same message "Ping request could not find host".
DCDIAG is running fine on the domain server. No error message. Firewall has been turned off. DNS are configured to point to the DNS server which is also the Active Directory server. Server was formatted re-installed 3 times already.
Anyone know what could be the problem ? Also can someone explain me how usually a computer on a domain resolve the IP for the domain.local name ? I though it was with DNS but from our test the DNS work when not joined on the domain. Also the host file seems to be used only when not joined on the domain which make no sense to me.
Thanks,
↧
↧
Multihomed DC (keep old DC IP alive...but was is another vlan)
Hi,
First, as usual, sorry for my english.
We have a technical question about multihomed DC. We know that there is no probleme for a domain controller to have 2 different IP on the same network. But in our case old DC(s) were on the same VLAN as other servers and new DC(s) are in a separated VLAN.
The issue is due to application which use name and ip of one old DC...so we need to keep this IP alive.
We would like to add a network cable to a new DC and add the old DC IP on this network card.
Is it possible? I think it is but I am afraid that all ldap connexion from production VLAN will use the old IP because it will be the shorter way (IP on same network).
All topic about multihomed DC I have read speak about DHCP for these VLAN but in our case our network device are configure to transfer DHCP request to the new VLAN.
Please tell me you have the answer to this topic...please help me.
↧
Useful book to design an Active Directory domain from scratch
Dear all,
I have to plan a new Active Directory domain, and need to create a very detailed low level design. For this, is there any good book on the market, that can be used as a complete checklists of planning items to 100% plan an Active Directory domain? It should contain for example all the tasks needed to plan the following: AD site-links, OU structure, GPO inventory, admin delegation model to OU level etc.
Is there such book available? I dont need the usual fairy tale about directories, LDAP etc., I only need to focus on designing all the bits and pieces of a working AD domain.
Any pointer to proven books is greatly appreciated!
↧
Deleted user is reflecting while try to search in active directory,
Hi
I was deleted some users from active directory couple of months ago. I had executed the forcefully command for replicate the domains and it is completed successfully.
But once I search the deleted user name via searching window in active directory, it is reflecting there.
It is any option or ways to remove permanently form active directory.
Please suggest how I can resolve my issue.
Thanks in advance.
Regards, Md Ehteshamuddin Khan All the opinions expressed here is mine. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
↧
Linking GPO's at the domain root rather OU's
Are there performance issues related to linking at the domain root rather than particular OU's?
I've started moving away from linking policies at OU's and begun linking them at the domain root and applying groups to the security filters. For me this is just easier in a number of regards, OU sprawl has gotten out of hand.
The GPO's number in the several dozens, so if I move all of them to the root, is it going to increase logon times for end users or cause other issues since the system has to assess the filter on every GPO? Are there other considerations?
↧
↧
VMAT (KMS) Activation Errors with 2012R2
We have an AD environment with a KMS server activating Windows and Office products. Recently we deployed 2 Windows Server 2012R2 Virtual Machines and these particular 2 guests will not activate. They can reach our KMS server and we can install keys on them. However, when we go to activate them we get "permission denied". I have pulled the machine out of the domain and added it again and get the same result.
We have:
- Rejoined the server to the domain
- Verified local administrators on the system
- Uninstalled and re-installed the product keys
- Plug and Play permission (A;;CCLCSWLOCRRC;;;SU) is present
- https://support.microsoft.com/en-us/kb/2008385 - Method C was done with no success
- Rebuilt Tokens.dat file and tried to activate again with no progress.
- https://support.microsoft.com/en-us/kb/978305 no success permissions on .dat file are correct.
Running slmgr.vbs /ato from an elevated command prompt gets: "Error 0x8000700005 Access denied: the requested action requires elevated privileges."
Just to clarify, we get the Access denied result from the KMS server when we try to remotely activate this server. I'm at a loss and looking for something I might have missed. DCOM permissions have also been looked at and verified.
Additonally I have tried:
"To work around this issue if you use a MAK, reactivate the system during the "Out of Tolerance" grace period by using online activation or telephone activation. To work around this issue if you use KMS, restart the computer. Or, type the following command at a command prompt, and then press ENTER: slmgr.vbs -ato"
Running slmgr.vbs /ato results in "Access Denied" from the local machine no matter if it is ran from an elevated command prompt or not.
This may need to go into a different category as it has to do with licensing. please move to the appropriate group as needed.
Thanks,
Thanks, Jeff Newbill
↧
how to disable ldap anonymous directory access from Windows server 2008 R2 SP1
After running security scan on one of our Windows Server 2008 R2 SP1 domain controller we have got the below vulnerability :
LDAP Anonymous Directory Access Permitted (ldap-anonymous-directory-access)
Description:
The Lightweight Directory Access Protocol (LDAP) can be used to provide information about users, groups, etc.
The LDAP service on this system allows anonymous connections. Access to this information by malicious users may assist them in
launching further attacks.
How do we disable this on Windows Server 2008 R2 SP1 domain controller.
Pls help.
↧
Shoul I enable the Computer Browser Service?
I have two Server 2012 DCs, a physical and a virtual. Should I enable the Computer Browser service on these DCs? I read some posts that suggest doing it but what is best practice these days?
↧