Gentlemen,
We have a requirement from Management to put an option at windows login screen itself to allow users to update their phone numbers every month. And same details to be updated on the ad database so whenever there is a requirement we can pull the information from AD itself. Is it possible ? if yes what is the best way to do so. Please help.
Thanks in advance.
Anil Suthar
Hi ,
Post ADMT AD migration I have removed the cross forest trust . All the users have been migrated to target Domain but still they get the source domain name at ' Log in to' drop down list while logging to the system. This is noticeable for Server 2003& XP. It might be applicable to Win 7 & server 2008 or higher but will not notice if manually changed.
Pls suggest the step to gracefully remove the domain name.
The error message I'm seeing is "The security database on the server does not have a computer account for this workstation trust relationship." There's nothing wrong with the trust relationship and I have removed a computer from the domain, deleted the AD account, and re-added it to the domain successfully and I still get the same message but only when I am trying to change my password. Below are all the things I have tried unsuccessfully:
The only things that have worked are:
Our workstations are Windows 7 SP1 and our servers are Windows 2008 R2 SP1.
Christopher
| Policy | Setting |
|---|---|
| Audit account management | Success, Failure |
| Audit directory service access | Success |
We are Al-Ain University, and we are licensed customer for Microsoft.
I'm facing big problem Domain Controllers Replication, I have 4 domain controllers two in each campus.
The replication is going successfully from campus 1 to campus 2. But it's not working probably from campus 2 to campus 1.
Kindly advice
Hello, hope some one can guide me a little on this:
My University is merging with other education institute, my company have an internal 2008r2 domain "mycomany.edu" we are merging with another company that is a little mess.
The other company have two branches in different cities, our ISP is giving us direct data connections with those two branches so we will have a new very large network.
One of those branches also have an active directory domain "newcompany.edu", the other branch doesn't have anything, they have their mailbox server with google apps, so there isn't a problem there.
So first question:
1. Is it possible to create a Forest where "mycompany.edu" is the primary domain and there is a child domain called newcompany.edu?
2. If not, is there a way to manage those two domains from a single domain controller?
I am going to start with the branch that doesn't have anything so I can create the new domain from scratch.
My idea was to create a single domain Forrest, and have replicas of my DC on each branch so anybody on any branch can authenticate to that Forrest via either of those domains (mycompany.edu and newcompany.edu)
3. After achiving that, I want to delete the existing domain from the branch that do have a domain, is it possible to migrate those users and machine accounts to the new domain?
If anything of that is possible, can you help me telling me how or where to start?
Thank you!!
We upgraded our forest and domain to Windows 2012 R2 several months ago and recently implemented FGPP (Fine Grained Password Policies). We are having users attempting to change their password at their Windows 7 PC's by hitting Alt-Ctrl-Del and selecting"Change a password" and getting the following error message even when selecting passwords that meet complexity requirements:
"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
We created a test account and added it to the FGPP group and are able to replicate the error using the following password examples:
het4TaphCurrent Environment:
Windows Server 2008 R2 Enterprise CA. This was built many years ago and is issuing SHA-1 certificates. We need to implement SHA-2 in our environment, which is what is bringing on this endeavor. After doing some research, it sounds like the
initial CA should have been built as a standalone server and turned down after it was brought up. To me, it sounds as if it should have never been used to issue certs to users, computers, etc. Is this a correct statement? We currently have
no subordinate CA.
What I am trying to do is spin up a Windows Server 2012 R2 Subordinate Certificate Authority that will issue SHA-2 certs, but not sure of its affect on the environment. If I build this out as an Enterprise Subordinate CA, copy root.cer from the Root Certificate
Authority to the C:\ on the Subordinate CA, is it going to cause any issues with any already existing SHA-1 certificate that was issued from the root CA? By doing this, would I effectively be able to issue SHA-2 certificates moving forward?
As a phase two part of this project, if I wanted to best practicefy my environment, how might I go about doing that (assuming building a standalone root certificate authority and taking it offline is best practice).
Any help would be greatly appreciated as I am not very familiar with CA's.
--Scott
i have several AD accounts with "generic" names (insted "mark", "david" or "anna" using "librarian", "consultant", "engineer" and so on)
The accounts MUST exist but with NO logon rights, no local logon, no VPN, just an existing user, a "Placeholder"
The procedure have to be error-free as such as possible
Approach #1:
All "generic" users belonging to a global group and using GPO, the global group wil have a "deny logon locally" privilege. This approach have the disavantage of being subject to errors, if for any reason, the "generic" user does has been (accidentaly) removed form the group
There are other approaches?
Using the "logon hours" AD attribute, effectivelly denying all logon hours? (it´s hard to automate in scripts, i think)
Using the "log on to" AD attribute, as far as i know is only effective if the client machine is using NetBIOS logon, so, maybe it will not be the best option
Any other idea?
The goal here is to configure the google synch with AD and i´m researching if the "contact" AD object could be usedCurrently I am working on MS Active directory Domain Service 2012 configuration with Ubuntu client. It’s working fine with Primary domain controller and Ubuntu client, Now I have created secondary domain controller for HA and the user details are replicating fine. But facing issues while login on client Ubuntu server while Primary domain controller is down (stopped ADDS service in Primary DC).I could only login with old users because of cache details, but not able to login with new users. I have configured DNS ,Global catalog on both DCs and in Ubuntu client server I have mentioned both DNS details in ubuntu server in below files
/etc/resolv.conf
/etc/dhcp/dhclient.conf
I could able to login with new user Id only after starting the ADDS service back on Primary DC. All these setups is in Amazon AWS environment.
Please help to fix the issues.
Hi,
I have several different domains. Some of the domains don’t have trust between each other and some have not.
I’m planning for a PKI deployment using a single Offline Root CA for issuing to the Subordinate CAs, one per domain.
The Subordinate CAs will be used for issuing certificates to for example Smartcards, VPN and HTTPS websites.
I wonder what kind of impact this "trust" between the CAs will mean. In some cases, I don’t want a user in domain A authenticate with a certificate issued by the CA in domain B.
After some searching i can’t find any TechNet articles regarding this.
Hi,
I work for a worldwide company and there is one thing that bugs me, I know that the replication interval between sites is set to 15min, and we have 142 objects in IP Section of Inter-Site transports, so when user helpdesk adds a user to a group in one country lets say, how long would it take that the user sees the changes, for example he can access Skype for Business?
cheers,
Hello,
Basically I am using Account Lockout Status app to check lockouts of particular user. And found out my admin account gets locked out very frequently. Had a look on netlogon.log and found that random end user laptops are locking out my account by sending credential
longon requests as I understand :
06/01 17:54:59 [LOGON] domain: SamLogon: Transitive Network logon of domain\admin-account from enduser1 (via DC_Server) Entered
06/01 17:54:59 [LOGON] domain: SamLogon: Transitive Network logon of domain\admin from enduser1 (via DC_Server) Returns 0xC000006A
Tried to look at end user pc Event viewer and found this :
-------------------------------------------------------
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0xbcf7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: admin-account
Account Domain: ADMIN-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: DC_Server.ad.domain.com
Additional Information: DC_Server.ad.domain.com
-----------------------------
Conclusion : Something is generating credential requests from random end users on our domain by using my admin account and locking it out. The issue I can't figure out what is the cause of it.. Though to ask if someone had similar experiences and could guide me further on troubleshooting ?
MK
Hi
Given that the environment consists of Active Directory, Exchange 2010/2013, Lync 2013 and SCCM what would be the procedure to rename the AD Domain?what would be the affects on other services and if this is recommended?
Thanks
Hi Gang,
We are in the process of interest migration. We have are migrating from our source forest to the new target forest. Source/domain is bound to a forest and domain levels of 2003. Target forest/domain has forest and domain levels of 2012 R2.
We noticed that with distribution lists and users with email addresses aren't fully migrated. Sure the groups and users are migrated with SID history and so on but not any of their emails.
We have yet to deploy an exchange server on the target domain. The reason being that we have 365 but still are using DirSync with an Exchange 2003 box in the source domain.
How do we deal with this? Should we get rid of the Exchange 2003 box? Some forums suggest ADMT does not migrate Exchange objects whereas others say it does. Could you please help us!!!!!
Thanks,
Daniel
Hello,
I have two domain windows server 2008 in my organization.
There are 20 users in one domain and 20 users in other domain.
Both team has different subnet.
Team A : 192.168.0.1 ( 255.255.255.0) - Domainone.com
Team B : 192.168.1.1 ( 255.255.255.0) - Domaintwo.com
I need that all of my users can sit anywhere if their original pc is down. Since all users can not communicate because both are on different subnet.
Please suggest how can I make it possible and everyone can seat anywhere.
Thanks you in advance :-)
Hello,
The default behavior for AD account lockouts is to NOT lockout the account, for the previous 2 old passwords.
This means that when I get to Password#3, and I attempt to use old Password#1, the account will not lockout.
When i get to Password#4 and I attempt to use old Password#1, the account WILL lockout.
Is there a way to change this behavior in AD so that for example we can NOT lock the account for say 10 old passwords rather than 2?
Thank you
Richard
Hello,
An user is able to open all the security groups managed by him via ADAC except one group , when I try to open the same group via ADUC it opens for me , displaying the members of that group
If I try to open the same group via ADAC , I am also getting the error "ADAC closes due to an unknown error"
ADAC abruptly closes ......The Domain functional level is Windows 2008 R2
Any help is greatly appreciated
Thanks & Regards S.Swaminathan Live & let others live!!!
Hi Guys,
After a little help if possible, I've been able transfer the other four roles with no issues. However the infrastructure master is complaining. Error message I receive is:
"The requested FSMO operation failed. The current FSMO holder could not be contacted. The current operations master cannot be contacted to perform the transfer. Under some circumstances, a forced transfer can be performed."
Is there anything I should be looking out for or any tool I can run to see any issues?
Thanks,