Hi Guys,
Im in the process of demoting server 2003 already migrated dhcp role to 2012 DC and FSMO roles transferred to server 2008 R2.
Do I need to uninstall DNS before I demote 2003 box or can I do that after ?
My DNS is active directory integrated.
i am on active directory federation service 3.0 for office 365 SSO, is there a way i can modify the login page to add remember me - or remember password check box, something like what you get when you navigate to portal.microsoftonline.com
thanks
Hi,
we do have an Active Directory on Server 2008 R2. also do have Windows 7, Windows 8, Windows 8.1 and Windows 10 as a client operating system on my domain. Since past 1 month we are facing the issue of 'The security database on the server does not have a computer account for this workstation trust relationship.' while trying to change password of user through client computer.
Previously, we thought the trust relationship has been failed so, so recreated it using 'test-computersecurechannel -repair'. Even after that, we tried to change the user password but same issue is repeating. This issue has been only seen on Windows 8.1 Machine till now. For Windows 7 or Windows 8 same user can easily change their password.
Request for your help on this regard. Error Snapshot is below.
Thank You.
Hello, I have a question.
Is there anyway to log the users logon activity when the user had been locked out by password policy?
How to configure it?
Thank you very much!
We have an AD environment with a KMS server activating Windows and Office products. Recently we deployed 2 Windows Server 2012R2 Virtual Machines and these particular 2 guests will not activate. They can reach our KMS server and we can install keys on them. However, when we go to activate them we get "permission denied". I have pulled the machine out of the domain and added it again and get the same result.
We have:
Running slmgr.vbs /ato from an elevated command prompt gets: "Error 0x8000700005 Access denied: the requested action requires elevated privileges."
Just to clarify, we get the Access denied result from the KMS server when we try to remotely activate this server. I'm at a loss and looking for something I might have missed. DCOM permissions have also been looked at and verified.
Additonally I have tried:
"To work around this issue if you use a MAK, reactivate the system during the "Out of Tolerance" grace period by using online activation or telephone activation. To work around this issue if you use KMS, restart the computer. Or, type the following command at a command prompt, and then press ENTER: slmgr.vbs -ato"
Running slmgr.vbs /ato results in "Access Denied" from the local machine no matter if it is ran from an elevated command prompt or not.
This may need to go into a different category as it has to do with licensing. please move to the appropriate group as needed.
Thanks,
Thanks, Jeff Newbill
Hello all,
We recently had an issue with FRS not replicationg to one of our DC's. We would make a group membership change to an object and see it reflected on two out of our three DC's. GPO changes were also not replicating.
We followed a guide on how to reset the BurFlags and do a Non-authoritative SYSVOL restore. This went fine and cleared up our FRS log errors. Once this was done I was able, from a DC, to make a change to an AD object then run repadmin /syncall and see the change on the problem DC.
So, I thought our issue was resolved, well it's not. Our helpdesk uses the ADUC snap in that comes with RSAT or something to mange our AD objects. When they modify an object while the snap in is connected to DC01, that works, but when they connect their snap in to DC02 they don't see the changes (after replication). If I log into the two DC's I can see that on both of them the object has been updated. So the issue now is, when viewing objects with the snap in they are outdated, but viewing them directly on the DC they look fine.
I also noticed that if I connect the ADUC console from DC01 to DC02 I also see outdated AD Objects.
I hope everyone can follow my issue.
Anyone see this before?
Thanks in advance for any assistance.
Hey all,
I have a server listed in my AD S&S that was created within VMWare years ago that no longer exists. As I cannot decommision it, how do I go about deleting it from AD S&S? There are numerous entries in the Directory Service Event log to include:
Event Category: Knowledge Consistency Checker
Event ID: 1925
Description:
The attempt to establish a replication link for the following writable directory partition failed.
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.
Additional Data
Error value:
1722 The RPC server is unavailable.
Any guidance here would be greatly appreciated. Thank you.
AD on Win 2012 R2
I'm working in an isolated sandbox with a test AD server and a Win 7 workstation running Office 2013. I am new to AD and LDAP, but quite proficient in VB and VBA (and C# for that matter).
The automation error I get might have to do with an invalid LDAP reference. That's all I could dig up.
automation error -2147463155 8000500d
The overall objective is to update Active Directory fields using rows of user data in an Excel spreadsheet and VBA. I loop through each Excel Row and get the email address, and then I do a query through ADODB to get the ADsPath of a user with an AD query using email address which is unique:
Set conn = new ADODB.Connection conn.Provider = "ADsDSOObject" conn.Open "Active Directory Provider" Set cmd = New ADODB.Command Set cmd.ActiveConnection = conn cmd.Properties("Page Size") = 1000 cmd.Properties("Timeout") = 30 cmd.Properties("Cache Results") = False cmd.Properties("Chase Referrals") = &H20 Or &H40 cmd.CommandText = "LDAP://DC=mydc1, DC=mydc2,>;(&(objectCategory=person) (objectClass=user) (mail=" & srcEmail & "));ADsPath;subtree" Set rs = cmd.Execute If rs.BOF and rs.EOF Then ' no AD record returned, so write out an error in the spreadsheet wsData.Cells (i, STATUS_COL) = NOTFOUND_ERR Else rs.MoveFirst userDN = rs.Fields(0).Value Set thisUser = GetObject(userDN)
' so far so good, the userDN was returned as follows, and the GetObject function threw no errors: 'LDAP://CN=mylastname\, Bill, OU=Users,OU=Information Services,OU=Finance,DC=mydc1,DC=mydc2'
' Now comes the problem thisUser.Put "Employee-Number", wsData.Cells(i, SRC_EMPLOYEEID_COL) '<<< This throws the automation error ' I tried to use a Get just to see if maybe I was able to do a read, but not a write, but it didn't work either adEmail = thisUser.Get("email") '<<< This also throws the same automation error ' ' ' thisUser.SetInfo '<<< I never make it to here
I am at a loss given the fact that the query to return the AdsPath works fine, but it seems the path it returns is invalid.
Thanks in advance for your help.
Bill
is there any risk if domain netbiosname different from Domain name
for Example if Netbiosname is ABC
and Full domain name is XYZ.local
is there any risk for this case ?
Hi Guys
Just to check if the upgrade process is the same as when doing a 64-bit upgrade or if this is different?
Appreciate some help/guide on how to upgrade a 2008 32-bit ADDS to 2012/2012 R2
Thanks
Hi,
First thing, if this in the wrong forum I apologise.
We are having issues with a Windows 2008 DC at the moment. To give you a quick insight into how this problem happened, the server is a virtual server sat on a VMware platform. They were hit by the telsacrypt virus and the decision was taken to roll back to a previous version of the server.
Yes I know now that ths was the wrong thing to do.
Since then we have had a few problems with the server and VSS, I have managed to get most things working but I cannot get the ntds vss writer to show up when I type vssadmin list writers.
Looking online all the information I can find tells me to do a dcpromo down and then back up again but this is a production exchange server so it is not really an option.
Is there any way to reregister this writer and so get it working again?
Thanks for any help given,
alamb200
I have groups on my AD server that allow users to use folders. I want to create a group that can edit the data in that folder but not create a NEW folder. Can anyone help me with this?
Thanks
Hi everyone,
As I know, IAS is a kind of Radius server and AD is LDAP server.
But AD provides function of authentication, authorization, is it overlapping with IAS?
So what are the differences between IAS & AD?
Thanks.
Hi, We have an issue for 2 weeks now that we cannot solved. We have a site where they have a local Windows domain running on a Windows Server 2003. We were asked to install a new server for running Remote Desktop Services. The new server was installed and his running Windows Server 2012 R2.
If this new server is on the network but not joined on the domain we can PING the domain.local name and also the IP address just fine. NSLOOKUP is also working fine.
Once we joined this new server on the domain we can no longer PING the domain.local. NSLOOKUP still work thought. If we tried to configured anything related to the domain like adding user or configuring the Remote Desktop services we get the error "no logon server".
Since we were able to ping the domain.local name when not joined we've removed the server from the Domain. Again we were able to ping the domain.local. Even though the DNS work fine we've edited the host file to point the domain.local to the right IP. I've put a mix of Upper and lower case in the name so when i now ping the domain name i can see that the IP is resolved from the host file. We've then joined again the server on the domain and try to ping. Again it's not working. Always the same message "Ping request could not find host".
DCDIAG is running fine on the domain server. No error message. Firewall has been turned off. DNS are configured to point to the DNS server which is also the Active Directory server. Server was formatted re-installed 3 times already.
Anyone know what could be the problem ? Also can someone explain me how usually a computer on a domain resolve the IP for the domain.local name ? I though it was with DNS but from our test the DNS work when not joined on the domain. Also the host file seems to be used only when not joined on the domain which make no sense to me.
Thanks,
Hi,
When users of domain controller are trying to change password below error occurs although all required policy based password provided.
-------------------------------------------------------------------------------------------------------------------------------------------------
Change a password
Unable to update the password.The Value provided for the new password does not meet the length,complexity,or history requirements of the domain.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Hi All,
Could you please send Active Directory Questions & Answers specific for Windows Server 2012R2? Is any one have some notes for AD 2012R2 then please mail us onKaushal.temp@gmail.com.
Thanks
Kaushal Shah
This is the overview of the situation. I just took over AD in an environment that is a 24/7 production environment with little to no ability to be taken down. The previous administrators did a lot of really poorly thought out band-aiding of issues and now I am trying to fix it while not bringing the environment down and allowing us the ability to test the effects before making any major changes.
The first issue on the agenda is that for some reason someone put the Domain Users group into the Builtin\Administrators group which allows all users unadulterated access to servers and who knows what else. Not knowing for certain what will happen when I take the Domain Users out of Builtin\Administrators I wanted to hedge my bets by creating a new group (All Users) and having the same members in it as in Domain Users. The plan was to put the All Users group into the Builtin\Administrators group, allow it to trickle down, and then remove Domain Users, hopefully allowing everyone to maintain the same rights while allowing new users (especially for testing) to have the proper rights and allowing us to confirm what needs to be done before fully removing the admin rights for everyone.
The major problem. When I add the All Users to the Builtin\Administrators group the next morning the Builtin\Administrators group is reset and All Users is no longer there. As it is best case scenario is that if I added the All Users in and took the Domain Users out tomorrow it would be as if nothing had happened, worst case is that All Users is removed and Domain Users isn't restored leaving us with a completely untested environment.
What has been done and found so far. While looking for the why this is happening I found out more about the AdminSDHolder and the various processes around it. I have confirmed that for the SDProp process it is not set off of the default time so every hour it should run, however the issue is that I've watched the group over the course of about 6 hours and All Users stayed where it was put the entire time. I however do not know if the runProtectAdminsGroupTask runs at the same hour interval (In which case something else is making the chage) or if it is run once a day (In which case it may be the cause for this issue). I have made changes to the dsHeuristics setting to set it to f where it maximizes what is excluded and I have used ADSIedit to go into the attributes for Builtin\Administrators to set adminCount to 0. When I go into LDP and connect to the server to kick off the fixupInheritance or the runProtectAdminsGroupTask I get the same error.
ldap_modify_s(ld, '(null)',[0] attrs);
Error: Modify: Unwilling To Perform. <53>
Server error: 00000057: LdapErr: DSID-0C0422CE, comment: Error in attribute conversion operation, data 0, v23f0
Error 0x57 The parameter is incorrect.
I have confirmed I do have the correct rights to run the command.
Another issue I have found which is likely very much related and may be an contributing factor is that utilizing a tool called LIZA I have run a search on everything with blocked inheritance and found that because of the groupings and such every single user in the environment has inheritance blocked and is likely "protected" with AdminSDHolder.
So in the end the simple act of adding the All Users group to the Builtin\Administrators group is running into walls and I was hoping someone could show me how to get around them. Trying to Audit the changes on the Builtin\Administrators group failed because since the group is reset all of the audit settings are reset too with no events being logged. Errors prevent me from kicking of suspected processes causing the issue for me to be able to confirm if my solutions are working, forcing me to way at least a day inbetween potential fixes. And all the while even a brand new and clean user can log into any of our servers and cause havoc. I am need of help please.
Edit: I was able to find the issue with trying to manually kick off the AdminSDHolder check. I'm unsure it worked but I am making progress in this quest to undo the mistakes of admins past.
Hi All,
I am trying to implement SSO for some 3rd party software using OAuth2.0, I have configure ADFS 2012r2 (v3) and registered the application in ADFS and added the RPT (using Vittorio's instructions). The 3rd party software is hosted internally on the same network. When I test SSO through the 3rd party app, it throws up the following error:
In ADFS, I get a similar error in the log:
Encountered error during OAuth authorization request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAuthorizationMissingResourceException: MSIS9226: Received invalid OAuth authorization request. The 'resource' parameter is missing or found empty. The 'resource' parameter must be provided specifying
the relying party identifier for which the access is requested.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.Validate()
The only reference to this error (MSIS9226) I can find is here but it hasnt helped.
Is anyone able to shed some light on this? Any help is greatly appreciated!
Dave
We have two domains. For simplicity, we call them production.com and test.com. Between these two domains there is a VPN tunnel. In test.com there is a security group whose members are allowed to run a third-party application. The third-party application has an LDAP connection to Active Directory in test.com
We want users in production.com can be a member of the security group in test.com. In other words, they do not have to log in test.com (SSO?). I hope you understand my messy description.The question is how do we solve it? Trust or ADFS?
Michael Wiskman
I have ADFS installed on Server 2012R2. We have one Domain, and several SSO websites running on this platform.
We have a complete seperate Active directory where we want the users to use SSO to a website where SSO is running with ADFS on the primary domain. How is that possibel ?
We want to use the one ADFS server we already have in the primary domain, and we want to use the same Claim Rules and Relaying Party Trust that is already running, but also the users in the other domian can login to the website by SSO, handled with the existing ADFS server.
Can anyone help with this issue?