Hi,
In current system Request Object logs in FIM Portal are saved for 30 days, how FIM Portal can be reconfigured to modify this setting. please assist.
Regards,
Jyothishree SP
↧
FIM Portal Request Objects
↧
The security database on the server does not have a computer account for this workstation trust relationship.
Hi,
we do have an Active Directory on Server 2008 R2. also do have Windows 7, Windows 8, Windows 8.1 and Windows 10 as a client operating system on my domain. Since past 1 month we are facing the issue of 'The security database on the server does not have a computer account for this workstation trust relationship.' while trying to change password of user through client computer.
Previously, we thought the trust relationship has been failed so, so recreated it using 'test-computersecurechannel -repair'. Even after that, we tried to change the user password but same issue is repeating. This issue has been only seen on Windows 8.1 Machine till now. For Windows 7 or Windows 8 same user can easily change their password.
Request for your help on this regard. Error Snapshot is below.
Thank You.
↧
↧
one ADFS ser use for multiple services
Hi ,
We have one On premises ADFS server which is currently being use for office 365 , now my question can we use same ADFS server for sales force too for single sign on ?
We just want to archive single single sign on using this KB ( https://developer.salesforce.com/page/Configuring-SAML-SSO-to-Office365)
↧
Clone a Domain Controller
Hi Team,
I required a create a test domain with the clone of the Production AD, also i would need to set a new Domain Name for the test Domain. Please suggest me with some good procedure to compete this task.
//Bala
↧
Backup Operators not able to backup system state on Domain Controller
I have a 2008 R2 domain and there are problems getting the backup account, which is a member of Backup Operators, to be able to backup the System State on the DCs. Is there anything I can check to confirm that nothing has changed that would keep a backup operator from having permissions on the system state of a DC?
Thanks,
Dave
https://technet.microsoft.com/en-us/library/cc772482(v=ws.10).aspx
↧
↧
To find the AD Schema attribute
Hello All,
I have script to find the AD schema attribute for the all object
dsquery *"cn=Schema,cn=Configuration,dc=MyDomain,dc=com"-Filter"(objectClass=attributeSchema)"-AttrLDAPDisplayName rangeUpper -Limit0>Report.txt
Can any one help in modifying the script or provide the script to extract object wise such user, computer printer etc
thanks in Advance
Aamir
NA
↧
Active Directory
Hello,
I wanna know How to administrate 2 trusted domains from windows 7 using active directory administrative services.
Regards,
↧
Server Support Engineer
I am sachin Kumar.I am working in concentrix as a Server support Engineer. I am working and troubleshoot issue on AD(replication,group policy, trusting issue, Service issue)
↧
Server Support Engineer
I am facing one issue: My application server is one domain( like.com) and Users in other Domain(sa.com). when User login on application so some time facing application issue on user. System log is not update on current date in application server. I checked event log for Netlogon(5722). I show error in Domain(sa.com) ,User authentication issue. Trusting has been done both Domain(like.com and sa.com)
What will I check and troubleshoot issues on Domain Controller and Application server.
Can You tell me.
↧
↧
ADAC - Cannot restore the custom configuration settings
We are using Active Directory Administratative Center to manage AD and we recently switched to redirected folders (among other things).
since the changes were made when starting the ADAC we are seeing an error:
I can't figure out what the story is. It's obviously some sort of custom configuration file, more than likely stored in %APPDATA% somewhere and there is an issue accessing it but I can't find where it might be.
Can anyone shed some light on either the issue or where ADAC stores it's per user configuration data?
Thanks in advance!
↧
Can't add 2012r2 as member server of a 2003 domain
Hi everyone and thanks in advance by your help.
I have a 2003 domain (DDL and FFL = 2, previously 1) with two dc's, both are 2003, static IP (only IPv4), DNS pointing to itself on each one.
When a try to add a 2012r2 to the domain, this message pop up:
"An Active Directory Domain Controller (AD DC) for the domain “mdq.quarters.xxxxxx.com” could not be contacted"
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "mdq.quarters.xxxxxx.com":
The query was for the SRV record for _ldap._tcp.dc._msdcs.mdq.quarters.xxxxx.com
The following domain controllers were identified by the query:
cliper.mdq.quarters.xxxxxx.com
cliper3.mdq.quarters.xxxxxx.com
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
2012 Server DNS point to cliper ip and I can ping by FQDN with no problem to any DC on the domain.
I've checked with portqry the ports required by AD, and all looks fine, I can connect with all ports on both dc's.
All three servers are conected to the same switch.
DCdiag on both Dc's does not show any errors ( I run dcdiag /V /C /D /E /s:cliper.mdq.quarters.xxxxxx.com and dcdiag /e /v /test:dns)
repadmin /replsummary neither show any errors
I've searched a lot, and I´ve tried and tested a lot to and now I'm really run out of ideas.
Any one have a clue please? I'm really desperate :-(
Diego
↧
Server 2012 has stopped accepting new wksts joining our domain, error 53: the network path not found
Hello,
We have Windows Server 2012 R2 as our DC. Several workstations were added to our domain successfully.
But then (I cannot determine what exactly could be a show-stopper) it stopped accepting new nodes joining the domain.
Nodes are different (OS also different: Win 10 Ent, Win 7 Pro, Debian Wheezy), but the problem is more or less the same: at some point of the procedure a workstation requests something on DC and gets "the network path not found" error 53 (0x35).
I tried dcdiag, dnslint, PortQry for diagnostics. They do not find a problem (I can supply their reports). Switching firewalls and antivirus software off both on server and workstation does not help. The ms-DS-MachineAccountQuota parameter is extended to 255. LDAP is accessible. DNS records were checked many times (though maybe I miss something important there). I also receive the same error 53 if I try to address some shared domain resource from outside, even if I supply valid credentials.
Any idea what happens?
Where to look further?
Below I supply excerpts from netsetup.log - first, of the workstation which successfully joined our domain some time ago. Then, an excerpt from netsetup.log of a node which fails to join it:
1. success:
07/28/2015 14:08:17:791 NetpGetLsaPrimaryDomain: status: 0x0
07/28/2015 14:08:17:791 NetpMachineValidToJoin: status: 0x0
07/28/2015 14:08:17:791 NetpJoinDomain
07/28/2015 14:08:17:791 HostName: Fontanka-win81
07/28/2015 14:08:17:791 NetbiosName: FONTANKA-WIN81
07/28/2015 14:08:17:791 Domain: OUR.DNS.DOMAIN
07/28/2015 14:08:17:791 MachineAccountOU: (NULL)
07/28/2015 14:08:17:791 Account: OUR_NETBIOS_DOMAIN\account
07/28/2015 14:08:17:791 Options: 0x23
07/28/2015 14:08:17:791 NetpLoadParameters: loading registry parameters...
07/28/2015 14:08:17:791 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
07/28/2015 14:08:17:791 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
07/28/2015 14:08:17:791 NetpLoadParameters: status: 0x2
07/28/2015 14:08:17:791 NetpValidateName: checking to see if 'OUR.DNS.DOMAIN' is valid as type 3 name
07/28/2015 14:08:17:791 NetpValidateName: OUR.DNS.DOMAIN' is not a valid NetBIOS domain name: 0x7b
07/28/2015 14:08:18:119 NetpCheckDomainNameIsValid [ Exists ] for 'OUR.DNS.DOMAIN' returned 0x0
07/28/2015 14:08:18:119 NetpValidateName: name 'OUR.DNS.DOMAIN' is valid for type 3
07/28/2015 14:08:18:119 NetpDsGetDcName: trying to find DC in domain 'OUR.DNS.DOMAIN', flags: 0x40001010
07/28/2015 14:08:18:728 NetpDsGetDcName: failed to find a DC having account 'FONTANKA-WIN81$': 0x525, last error is 0x0
07/28/2015 14:08:18:898 NetpLoadParameters: loading registry parameters...
07/28/2015 14:08:18:898 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
07/28/2015 14:08:18:898 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
07/28/2015 14:08:18:898 NetpLoadParameters: status: 0x2
07/28/2015 14:08:19:030 NetpDsGetDcName: status of verifying DNS A record name resolution for 'dc.in.our.domain': 0x0
07/28/2015 14:08:19:030 NetpDsGetDcName: found DC '\\dc.in.our.domain' in the specified domain
07/28/2015 14:08:19:030 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
07/28/2015 14:08:19:030 NetpDisableIDNEncoding: using FQDN our.dns.domain from dcinfo
07/28/2015 14:08:19:033 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'our.dns.domain' succeeded
07/28/2015 14:08:19:034 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
07/28/2015 14:08:24:013 NetpJoinDomainOnDs: status of connecting to dc '\\dc.in.our.domain': 0x0
07/28/2015 14:08:24:013 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: our.dns.domain
07/28/2015 14:08:24:201 NetpProvisionComputerAccount:
07/28/2015 14:08:24:201 lpDomain: OUR.DNS.DOMAIN
07/28/2015 14:08:24:201 lpHostName: Fontanka-win81
07/28/2015 14:08:24:201 lpMachineAccountOU: (NULL)
07/28/2015 14:08:24:201 lpDcName: dc.in.our.domain
07/28/2015 14:08:24:201 lpMachinePassword: (null)
07/28/2015 14:08:24:201 lpAccount: OUR_NETBIOS_DOMAIN\account
07/28/2015 14:08:24:201 lpPassword: (non-null)
07/28/2015 14:08:24:201 dwJoinOptions: 0x23
07/28/2015 14:08:24:201 dwOptions: 0x40000003
07/28/2015 14:08:24:904 NetpLdapBind: Verified minimum encryption strength on dc.in.our.domain: 0x0
..........
2. failure:
04/20/2016 20:44:37:251 NetpDoDomainJoin04/20/2016 20:44:37:251 NetpDoDomainJoin: using current computer names
04/20/2016 20:44:37:251 NetpDoDomainJoin: NetpGetComputerNameEx(NetBios) returned 0x0
04/20/2016 20:44:37:251 NetpDoDomainJoin: NetpGetComputerNameEx(DnsHostName) returned 0x0
04/20/2016 20:44:37:311 NetpMachineValidToJoin: 'ARMIDE'
04/20/2016 20:44:37:350 NetpMachineValidToJoin: status: 0x0
04/20/2016 20:44:37:365 NetpJoinDomain
04/20/2016 20:44:37:365 HostName: ARMIDE
04/20/2016 20:44:37:365 NetbiosName: ARMIDE
04/20/2016 20:44:37:365 Domain: OUR.DNS.DOMAIN
04/20/2016 20:44:37:365 MachineAccountOU: (NULL)
04/20/2016 20:44:37:365 Account: OUR.DNS.DOMAIN\account
04/20/2016 20:44:37:365 Options: 0x23
04/20/2016 20:44:37:432 NetpValidateName: checking to see if 'OUR.DNS.DOMAIN' is valid as type 3 name
04/20/2016 20:44:37:432 NetpValidateName: 'OUR.DNS.DOMAIN' is not a valid NetBIOS domain name: 0x7b
04/20/2016 20:44:37:713 NetpCheckDomainNameIsValid [ Exists ] for 'OUR.DNS.DOMAIN' returned 0x0
04/20/2016 20:44:37:713 NetpValidateName: name 'OUR.DNS.DOMAIN' is valid for type 3
04/20/2016 20:44:37:713 NetpDsGetDcName: trying to find DC in domain 'OUR.DNS.DOMAIN', flags: 0x40001010
04/20/2016 20:44:38:313 NetpDsGetDcName: failed to find a DC having account 'ARMIDE$': 0x525, last error is 0x0
04/20/2016 20:44:38:475 NetpDsGetDcName: status of verifying DNS A record name resolution for 'dc.in.our.domain': 0x0
04/20/2016 20:44:38:475 NetpDsGetDcName: found DC '\\dc.in.our.domain' in the specified domain
04/20/2016 20:44:38:475 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
04/20/2016 20:44:38:475 NetpDisableIDNEncoding: using FQDN our.dns.domain from dcinfo
04/20/2016 20:44:38:546 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'our.dns.domain' succeeded
04/20/2016 20:44:38:546 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
04/20/2016 20:45:43:580 NetUseAdd to \\dc.in.our.domain\IPC$ returned 53
04/20/2016 20:45:43:580 NetpJoinDomainOnDs: status of connecting to dc '\\dc.in.our.domain': 0x35
04/20/2016 20:45:43:580 NetpJoinDomainOnDs: Function exits with status of: 0x35
04/20/2016 20:45:43:582 NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'our.dns.domain' returned 0x0
04/20/2016 20:45:43:587 NetpJoinDomainOnDs: NetpResetIDNEncoding on 'our.dns.domain': 0x0
04/20/2016 20:45:43:587 NetpDoDomainJoin: status: 0x35
↧
Legacy issues preventing from demoting a Windows 2008 R2 domain controller
I currently run a Windows 2008 R2 native active directory forest/domain with 3 Windows 2012 R2 DCs and 2 Windows 2008 R2 DCs.
Want to demote my Windows 2008 R2 DCs so that I can retire them and elevate forest/domain to Windows 2012 R2
Apparently there is some legacy entry in active directory that says I have a Windows 2003 Infrastructure server.
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 4/28/2016 5:10:58 PM
Event ID: 2091
Task Category: Replication
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: 2008r2dc.domainname.local
Description:
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=domainname,DC=local
FSMO Server DN: CN=NTDS Settings\0ADEL:71802418-3aa6-41d4-be34-05ae893e06f7,CN=W2K3SERVER\0ADEL:05c61c7f-2820-492c-bd9a-e9af8914fcea,CN=Servers,CN=Orange,CN=Sites,CN=Configuration,DC=domainname,DC=local
KB articles 255504 and 324801 on http://support.microsoft.com. are not helpful here as, there has not been a Windows 2003 R2 domain controller in my domain since around 2008 and my infrastructure server role is held by a windows 2012R2 DC. Yet my attempt
to demote the Windows 2008 R2 DC fails.
How do I go about deleting this entry so that I can demote my windows 2008 DCs?
↧
↧
Test AD Environment
Hi Team,
We have one forest with 2 child domains. lets say for example Forest Domain "Test.net" and Child domains "Child1.test.net" and "Child2.test.net". All the Mail related Objects(Users and Servers) as in Child1.test.net domain. Mail system is O365. We need a test AD to test the mail scenarios, other applications testing and etc. Is there any possibility to create a Test domain out of the existing forest but with complete data in Child1.test.net domain. or is it recommended only to create a test domain start using it on requirement basis. Please suggest me on this
Thanks in Advance
//Bala R
↧
change password notification
how do i enable the change password notification upon logon ?? it looks like the default behavior has changed in the latest version if windows. previously when logging into a PC with with a soon to be expired user account it would prompt to change the
password. what i am seeing now is a bubble notification in the system tray . is there any way to get the old behavior back?
↧
Local Administrator Password Solution (LAPS) tool
Reading Microsoft article:
Active Directory: (requires AD schema extension)
• Windows 2003 SP1 or later.
Is it a requirement o have LAPS tool to be installed on a Domain Controller?
From reading, the LAPS tool should only being used for extending schema master (which can be installed and executed from another server/workstation with the relevant permission).
Or, is the LAPS client being used for other purposes? Just want to make sure it is not a requirement to have LAPS installed on DC, which is not desirable in our environment.
Active Directory: (requires AD schema extension)
• Windows 2003 SP1 or later.
Is it a requirement o have LAPS tool to be installed on a Domain Controller?
From reading, the LAPS tool should only being used for extending schema master (which can be installed and executed from another server/workstation with the relevant permission).
Or, is the LAPS client being used for other purposes? Just want to make sure it is not a requirement to have LAPS installed on DC, which is not desirable in our environment.
↧
Windows 10 + Windows Server 2012 R2 - Work Offilne problem
we have the following issue with the Windows 10 Pro ;
When we work outside of Active directory network, or offline, we can not see our redirected folders like My Documents , and Desktop,
and if we do VPN connection to our head office it is always asks to enter credentials to connect AD, then everything is working fine.
the same account with Windows 7 pro or Windows 8.0/8.1 Pro works like a charm, any suggestions ?
so far what I did is: 1. rejoin to Domain Controller
2. Control panel>Sync Center> Manage Offline Files > Disable and Enable Offline files
3. gpudpate /force and all other options
4. etc.etc
one more think in windows 10 pro : when we navigate to sync folder (state shows online), and then easy access all options there are gray ("Always available offline", "Sync", "Work Offline"), expect "Map as a Driver"
Any suggestions ??? Thanks :)
attached 2 files, maybe that helps , thanks again ..
↧
↧
AD Objects on DC look fine from RSAT Snap in AD objects outdated
Hello all,
We recently had an issue with FRS not replicationg to one of our DC's. We would make a group membership change to an object and see it reflected on two out of our three DC's. GPO changes were also not replicating.
We followed a guide on how to reset the BurFlags and do a Non-authoritative SYSVOL restore. This went fine and cleared up our FRS log errors. Once this was done I was able, from a DC, to make a change to an AD object then run repadmin /syncall and see the change on the problem DC.
So, I thought our issue was resolved, well it's not. Our helpdesk uses the ADUC snap in that comes with RSAT or something to mange our AD objects. When they modify an object while the snap in is connected to DC01, that works, but when they connect their snap in to DC02 they don't see the changes (after replication). If I log into the two DC's I can see that on both of them the object has been updated. So the issue now is, when viewing objects with the snap in they are outdated, but viewing them directly on the DC they look fine.
I also noticed that if I connect the ADUC console from DC01 to DC02 I also see outdated AD Objects.
I hope everyone can follow my issue.
Anyone see this before?
Thanks in advance for any assistance.
↧
Replacing an External trust to be a Forest trust
Hi
If I will recreate a trust by deleting the old "External trust" and create a new one to be a "Forest trust" between two domains.
What is the outcome on all access permissions when I brake the External trust, will all the groupobjects (GUID) and permissions still be available from a trusted domain on the trusting domain side when the new
Forest trust is created?
↧
Problems removing remnants of an old Domain Controller
Hi
I forcibly removed a DC some months ago, deleted it from ADU+C, sites and services, meta data cleanup, DNS etc. however I am still seeing remnants of it, which I believe is causing problems with the AD Admin Centre and a 3rd party app.
When I look in Sites and Services, at the properties for the NTDS Settings on some of my servers, on the Connections tab, I can see in the 'Replicate To' box, the following:
Name:Site:
DC5DEL:(guid)BristolDEL:(guid) -this is the old DC
There is no option to delete this connection in the GUI.
If I run repadmin, I see the same reference to the old DC:
repadmin /syncall /apedCALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=DC5\0ADEL:b5af
b6e9-1e4b-4c2d-9897-7c5b15f77e65,CN=Servers\0ADEL:5e420743-a033-4743-9b22-14f0e6
f8c25d,CN=Bristol\0ADEL:67d52f16-3d16-4536-916a-0d905404cba0,CN=Sites,CN=Configu
ration,DC=corp,DC=mydomain,DC=com (network error): 1722 (0x6ba):
The RPC server is unavailable.
Any ideas how to rid this old DC from AD once and for all please?
Cheers
↧