hi Guys,
I have a task in which i have to disable print screen on user machine , we have set of user machine in which i need to implement this
GPO .
please suggest the option how to achieve this task , do we need to do with registry setting or through any other method.
Regards,
Triyambak
Regards, Triyambak
I have promoted DC's in the past, core and GUI versions. However, I have never demoted a core DC, only GUI versions. I need to demotes thelast DC in a sub domain in our forest, and it is 2008 R2 core. I will do this with an unattend file, but am confused about whether or not I need to use certain switches. Here is how my unattend file looks:
UserName=Enterprise Admin (EA) account
UserDomain=root of the forest domain (domain where an EA account resides)
Password=the password an Enterprise Admin account
IsLastDCInDomain=yes
AdministratorPassword=this will be the local admin password of the machine once we are done
RemoveApplicationPartitions=yes
RemoveDNSDelegation=yes
DNSDelegationUserName=Root of forest domain\EA account
DNSDelegationPassword=the password for the EA account
RebootOnCompletion=yes
Do I need to add in the following, I have read the explanation but do not understand if they are needed since I am demoting the last DC in a domain (not the forest, just a sub domain), should I add them in just to be safe?
/DemoteFSMO=yes
/IgnoreIsLastDcInDomainMismatch=yes
/IgnoreIsLastDNSServerForZone=yes
HDL
Hi,
Our service communication certificat will expire at the end of the month.
So we will import import a new certificat on the adfs management consol (ADFS 2.0)
My question is, the importation of the new communication certificat on the ADFS console, the token-signing and encryption certificat have to be renewed too?
For information AutoCertificateRollover is set to true actualy.
regards
Hi,
today I created a Managed Service Account using these lines:
New-ADServiceAccount -Name dc007vmt -enabled $true Add-ADComputerServiceAccount -Identity dc007 -ServiceAccount dc007vmt Install-ADServiceAccount -Identity dc007vmt
Then I changed the account in the services.msc console and confirmed all questions. - It looked fine:
Then I rebooted the computer and noticed that the service did not came up.
I tried to start the service but received this error:
Any suggestions?
Thanks in advance
Ruben
Hi all,
I am looking for a way to directly create e-mail enabled universal security groups from the "Active Directory Users and Computers" console. If I create the group from the Exchange Console, it works fine.
I am also aware that as soon an universal security group is create in ADUC I can use Exchange Shell or Console to email enable the group.
The issue I am facing is that these groups should be create by 1st lvl employees - so I am looking for a way to handle it directly in ADUC, since they are already familiar with this console.
Hope someone has any nice ideas.
Thanks
Hi,
in 2012 R2 environment, I want to perform the following task:
ComputerA initiates a Remote PowerShell Session via Kerberos Auth. to ComputerB. (works fine)
Within that Remote PowerShell Session, we try to access a file share on ComputerC.
When ComputerB is allowed to delegate all Kerberos services, it works fine.
When I want to use Kerberos constrained delegation on ComputerB to CIFS/ComputerC it fails
Computer C does have the CIFS SPN registered.
Does anyone have any idea what else is required to makre this work with Constrained Delegation?
Thanks
KR
Chris
We had issues in DNS as one of the VM server was not able resolve to the alternate DNS Server.
Scenario is :
Mumbai 4 DC's
2 Physical DC : 2 DC's
2 VM's : ADC's.
One the VM server was not able to resolve to the alternate DNS Server due to Primary DNS Server (ADC) was having some issue and was down.
=======================
** Both are ADC (Additional Domain Controllers) which are on VM's
** Primary ADC01 and Secondary ADC02.
** VM server host entry got deleted from DNS.After that we created new entry in DNS Server.
** One of the VM Server was not able to query Alternate DNS Server because Primary DNS Server was down.
** VM Server should have contacted to alternate DNS Server in case of primary DNS Failure which did not happen.
======================
Yesterday the VM's server host entry was got deleted from DNS Server after that we created new entry.
Pramod Jadhav 9867715203
I want to know if it's possible to detect the five FSMO roles without using the Windows Server GUI or tools like dcdiag, dsquery, netdom, PowerShell, vbscript, WMI, etc.
Essentially I want to determine whether or not a server holds one or more of theActive Directory FSMO roles but simply by looking at:
Thanks in advance :)
Hi. I have two server with Windows Server 2008 version. For example AD-1(FSMO) and AD-2(slave)
Both GC (Global Catalog) in the same domain. The level of the Domain is 2008.
Since two days ago, every account that expires their password, get blocked by Directory Services.
In the blocked account i fund in the Event Viewer, in the Directory Services this warning (after some hours or an "gpupdate"):
--------------------------------------------------------------------------------------------------------------------------------------------------
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: "time"
Event ID: 1955
Task Category: Replication
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: AD-1(master)
Description:
Active Directory Domain Services encountered a write conflict when applying replicated changes to the following object.
object: CN=DOMAIN..etc.etc.. "User"..
Event log entries preceding this entry will indicate whether or not the update was accepted.
A write conflict can be caused by simultaneous changes to the same object or simultaneous changes to other objects that have attributes referencing this object. This commonly occurs when the object represents a large group with many members, and the functional level of the forest is set to Windows 2000. This conflict triggered additional retries of the update. If the system appears slow, it could be because replication of these changes is occurring.
---------------------------------------------------------------------------------------------------------------------------------------------------------
If you unlock the account it gets blocked after 4 or 5 minutes. Without reason. I didn't see any "acces failed attempts", in any AD or Exchange Server. Even when the user it's not logued in or using any service.
I did a 'dcdiag /v' and didn' t find anything. The replication simply works fine. I tried to create a .txt file in the sysvol directory, with a instant replication. I have discarded NTDS problem... Even did a ntdsutil metadata cleanup.
------------------------------------------------------------------Also i have this.....rare----------------------------------------------------
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 7/4/2016 10:54:24 AM
Event ID: 2887
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: AD-1
Description:
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration
change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Summary information on the number of these binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2
or higher.
Number of simple binds performed without SSL/TLS: 19
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx}" EventSourceName="NTDS LDAP" />
<EventID Qualifiers="32768">2887</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="TIME" />
<EventRecordID>9760</EventRecordID>
<Correlation />
<Execution ProcessID="788" ThreadID="972" />
<Channel>Directory Service</Channel>
<Computer>AD-2</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>19</Data>
<Data>0</Data>
</EventData>
</Event>
Hello,
Yesterday I set up a domain at our office, and added my laptop to it. We are using Server 2012 R2. My laptop is rather new and came with Windows 10. I upgraded it to Pro before joining the domain. My laptop is able to connect to the work VPN (Anywhere Access) and it shows a green icon.
Today, I was trying to print at home, but windows could not connect to to the printer. It was showing as "offline" in Devices and Printers. I removed it and tried adding it back to the computer but it could not be found on the network. I found the IP address and tried that but it also didn't work. I was able to ping the IP address successfully. (192.168.1.3)
My Father's computer is not on the domain, so he was still able to print at home, same as he has been for the past few years.
Funny thing is, I can see my father's laptop when I view the "Network" folder in explorer.
It appears that joining the domain has prevented me from using, or adding this printer at home.
Any ideas how to fix this? Thanks!!
Hello,
I know there are few topics like this, but I cannot find the same problem I'm facing.
I had a Win2003 DC which was working just fine. I installed a new Win2012 R2 server, promoted as new DC, moved all FSMO roles and keep both of them working. No problem since here.
Then I demoted (forceremoval) the old 2003 and now the domain seems not to exist anymore.
If I try to open AD Site and Services I get this error:
"Naming information cannot be located because:
The specified domain either does not exist or could not be contacted.
Contact your system administrator to verify that your domain is properly configured and is currently online"
So I checked AD Domains and Trusts, similar error:
"The configuration information describing this enterprise is not available. The specified domain either does not exist or could not be contacted."
I've also errors on the event viewer:
"Active Directory Domain Services was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
32013fa
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem." ntac
If I open the AD Administrative Center I get this error:
"Cannot connect to any domain. Refresh or try again when connection is available"
Here I can find my domain:
SCAA (local) with a red mark as if it is not available and if I try to change the domain controller I get an error:
"Cannot find an available server in the SCAA domain that is running the Active Directory Web Service (ADWS)"
If I start the server manager and try to add the role as Domain Controller again, the system shows a grey option related to this because it is already installed.
Any help?
Thanks and BR,
M
Hello, I made the mistake of not setting the DFS server to use FQDN. So I'm going through the process of changing the targets, but when I go to delete all the Namespace servers so I can export the config of the remaining server so I can change the targets to FQDN, I get this message. I've also tried to do it using command line and I get the same problem (I've deleted the network info so that's why it looks fragmented):-
Can anyone tell me what the difference between sysprep.exe with or without "Generalized" Option?
Another question is, is it possible to join a computer to domain contorller if they have the same SID (I clone them from a single image)?
Thank all beforehand for answering my questions :)
we are trying to get humhum and LDAP to work within our AD environment. Our current environment is a mixed domain and forest of windows 2008r2 and windows 2012r2.
basically what we are trying to do is have our users be allowed access into this webpage for training using their network name and password.
The issue that we are seeing is
Status: Error! (Message: 0x50 (Other (e.g., implementation specific) error; 80090304: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 20ee, v1db1): CN=LDAP,OU=Users-Undefined,OU=ouUSS-Departments,DC=---,DC=local)
the LDAP account is a domain admin account with all rights to the server
The LDAP is on a member server named netmon using port 389
We are using an LDAP instance named ldap1 with the following account named ldap,
ldap [netmon.---.local:389]
cn=ldap1,dc=---,dc=local
cn=lostandfound
cn=ntds quotas
cn=roles
I have added the cn=users container and with the user cn=ldap, msds-useraccountdisabled = false
In reading some articles and watching youtube, it states that i must export information from my DC and import it to this location, but when i do it will not import
using ldp i can bind with the local account but still can't get any users to populate
res = ldap_simple_bind_s(ld, 'CN=ldap,CN=users,CN=ldap1,DC=---,DC=local', <unavailable>); // v.3
Authenticated as: 'CN=ldap,CN=users,CN=ldap1,DC=---,DC=local'.
I've 186 ADC.
In Replication it's using high bandwidth & the total utilization is approx 20 - 30 GB in a day.
Hello
I got the task to extract all the users in our environment for whom last logon and passwordlastset is more than 180 days
Used the below script and got the result
$Days = (get-date).adddays(-180)
Get-ADUser -SearchBase “OU=xxxxx,DC=abc,DC=constoso,DC=net” -filter {lastlogondate -le $days -AND passwordlastset -le $days} -Properties lastlogondate, passwordlastset,Distinguishedname | Select-Object name, lastlogondate, passwordlastset,Distinguishedname
| export-csv test10.csv
However the prob is, it pulling Service account as well, i want only User account.
Can any one help me here
Thanks
NA
I'm a administrator, I 'm not getting access to users data folders after active directory installed.
Kindly advice how i can gain access to data folder, so that i can take backup of data of all users.
Regards,
Ravi Kumar
rickgpad
We have a Server 2003 SP2 (not R2) box that we're trying to decommission. The guy originally assigned to do this is no longer with the company, so we don't know how far he got. It used to hold some licensing roles, and was a Domain Controller. It was cleanly (or so it seemed) dcpromo'd and demoted over a year ago, and the licensing roles have either been moved or determined to be redundant. It's not clear if this server was doing anything else, but as management are extremely risk-averse, just turning it off and seeing who screams is not an option. So I fired up Wireshark to see if anything was still talking to it, and found that some workstations are still trying to find the netlogon share on this server.
Trans2 Request, GET_DFS_REFERRAL, File: \serverFQDN\netlogon
Trans2 Response, GET_DFS_REFERRAL, Error STATUS_NO_SUCH_DEVICE
Tree Connect Andx Request, Path: \\serverFQDN\NETLOGON
Tree Connect Andx Response, Error: STATUS_BAD_NETWORK_NAME
I've confirmed that the share doesn't exist on this server. There are no lingering traces in DNS that point to this server as a DC. There are no DHCP options pointing to this server (it may have hosted DHCP at some time, this is unclear). I've run dcdiag across all of our DC's and can find no references to this server, and no errors. I've checked Sites and Services, no references to it there. I've looked at the event logs of a couple of the workstations at the time these packets are captured, and can see nothing out of the ordinary. I've investigated the DFS settings, via dfsgui.msc, dfsmgmt.msc, and adsiedit.msc, nothing I could see refers to this server. At this point, I have no idea what is referring these workstations to look at this server, does anyone have any ideas of what else I could look at?
Nigel Benfell B.Sc. MCSA