I found a tool:
https://www.microsoft.com/en-us/download/details.aspx?id=13380
Which as I read it should be able to document AD in Visio more or less by clicking and shooting.
It doesn't seem to work with Visio 2016 though. Any better way to do it in Visio 2016?
Regards, Lars
DC1+DC2 are newly added domain controllers. All FSMO roles have been transferred from 2008 dc to DC2.
I am not sure if this is related, but when I built DC1+DC2, I joined them to the domain with those names. After installed AD and promoting to DCs, they were renamed in AD to DC1~1 and DC2~1 for some reason. I asked about this on these forums and no one thought it would cause issues because DNS resolved properly with DC1+DC2 etc.
I believe there is a problem with DC1 only. We use FIM and AADsync for various services and sometimes when those use DC1, they report Server Down. I also run some powershell scripts against AD and sometimes using DC1 it will report Server Down. I have not had this issue with DC2. Both were built at the same time.
Ernie = 2008r2 DC
DC1+DC2=2012r2 DC
DC1 has the following in the DNS Server event log
"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."
And this in the Directory Service log even though both DC1+DC2 have 32gb of RAM and at the time of the error was only using 3.6gb
Internal event: Active Directory Domain Services could not allocate enough memory to process replication tasks. Replication might be affected until more memory is available.Below is what I think is the most concerning output from dcdiag
Starting test: FrsEventThe registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\LogFilePath contains an invalid value or could not be read. The DNS server cannot start. You must change this value to valid data or delete it and then attempt to restart the DNS service.
HI Getting error in Event log
The DNS server was unable to open file C:\Windows\system32\dns\dns.log for write. Most likely the file is a zone file that is already open. Close the zone file and re-initiate zone write.
The registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\LogFilePath contains an invalid value or could not be read. The DNS server cannot start. You must change this value to valid data or delete it and then attempt to restart the DNS service.
Hello,
I'm managing a companies active directory environment and it seems quite a few people can do things within AD like create users or objects and reset passwords. I'm looking to get a handle on who can do what within Active Directory to make sure they don't have access to everything. I did find that they had a ton of Domain Admins that didn't need to be. Are there any good tools out there that can audit the delegation within AD? Thanks so much for the help.
I have a Windows server 2008 R2 Certificate Authority with templates published to AD. When I use the Certificates MMC snapin pointed to the User store - I can request a Code Signing Certificate
However on the same computer I get an error "The Data is Invalid" when I select "Active Directory Enrollment Policy" and select next when attempting to enroll for a certificate. This is with the certificates Snapin point to "Local Computer"
The same error occurs when attempted on the CA itself
I have a second domain for which this all works - so I'm looking for guidance as to error logs to look at, settings to checkwhich would allow users to get a certificate for themselves but not a computer certificate.
Hi,
wall paper gpo not working. I check gpo not detect Infrastructure role and "dcdiag" error
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
I don't know this about include the issue so I click "Detect now" on GPO windows error "Active Directory or SysVol inaccessible on the domain controller or an object is missing"
pls,
Thank you very much
Hi,
I am trying to diagnose an issue with slow replication between ADDS GC servers. They are on different subnets, connected via high speed WAN link over VPN.
Within Sites and services they are all defined properly.
I have found many articles on the differences between site to site replication and intrasite, but not how to debug beyond using DCDIAG, which reports as healthy. Repadmin shows very low replication
times.
Any thoughts or suggestions would be appreciated.
Hello,
I have a requirement to apply the Accept Messages from permission on few of the distribution groups, but the ask is if the organizational structure is having few nested distribution groups as the members. How can we make sure that the permission shall be applied to the nested groups as well.
Scenario Example-
Distribution Group A - Can accept messages from AA User
Distribution Group B(Its a member of Distribution Group A) - Can accept messages from BB User
When, we send message to Distribution Group A from AA user, it won't be delivered to members of Distribution Group B even if it is a member of Distribution Group A.
Regards,
Manuj Khurana
How to disable cut copy &paste in local computer. I want to disable using windows 2008 R2 group policy. Please suggest me how to do it ....
After installing the update KB3161606 our programmers get an error about "LDAP server not found" when connecting to an external LDAP system . Removing this update restores functionality. Anyone else had this issue? Troubleshooting on the *nix LDAP system appears to show the TLS handshake never completing. In Visual Studio/IIS error message, we are only told that the server cannot be found.
Good day,
We have an issue with our domain controllers replicating the NETLOGON and SYSVOL folders to the newly added DC's. The site previously had 2 Domain controllers which is TS1 and TS2. Both TS1 and TS2 are running MS Server 2008 not R2. TS2 has all of the fsmo
roles including schema master and domain naming master roles - so it is the PDC.
We noticed that when adding 2 new WS2012R2 DC's (DCSRV01 & DCSRV02) that they were not replicating the netlogon and sysvol folders to these machines. We ran DCDIAG and the following error is what we had been investigating: "An net use or LsaPolicy
operation failed with error 67, The network name cannot be found.."
Which at the time lead us to a DNS entry that was incorrect, which we then resolved. But this did not fix the issue as we are still not achieving replication to the DC's.
We then demoted TS1 and removed it off the network thinking that it might have something to do with the replication issues. This also didn't resolve the issue. We also demoted and removed the 2 newly added DC's (DCSRV01 & DCSRV02) and cleaned up Active
directory including ADSI edit of all the old DC information - leaving us with only the PDC which is TS2. We then proceeded to install another 2012R2 machine and joined it do the domain and promoted it to a DC, however still no joy.
We tried to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL - which we found from a microsoft article https://support.microsoft.com/en-us/kb/2218556, however the following location "CN=SYSVOL Subscription,CN=Domain
System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>" is not present on any of the DC's at all - which meant that we couldn't follow the steps provided. We are still scratching our heads at this point
trying to get this fixed. We didn't want to make too many changes as we were worried that we might be creating more issues than we were solving at this point.
We are also noticing the following error in the event log (DC01 is the newly added secondary DC):
event id 13508
The File Replication Service is having trouble enabling replication from TS2 to DC01 for c:\windows\sysvol\domain using the DNS name TS2.mydomain.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name TS2.mydomain.com from this computer.
[2] FRS is not running on TS2.mydomain.com.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
If any assistance can be provided it would be greatly appreciated.
Regards,
Kent
Hi
I need some help in AD sites and services. I am going to try explaining the situation I have. In our existing setup, we have number of branch offices connected by leased lines (MPLS). We have six domain controllers in total. Two of them is in our main office (in London), two of them in cloud (UK), fifth one is in Paris and sixth one in AWS.
Servers and their IP address are as below:
DC13 - 192.168.172.1
DC14 - 192.168.173.1
DC15 - 192.168.72.1
DC16 - 192.168.73.1
DC02 - 192.168.30.1
DC17 - 192.168.82.1
On AD Sites and Services, there are three sites and the servers are assigned as below:
London - DC3, DC14. DC15. DC16
Paris - DC17
Amazon - DC02
Subnets appear as below in my AD Sites and Services:
192.168.172.0 (assigned to site London)
192.168.173.0 (assigned to site London)
192.168.72.0 (assigned to site London)
192.168.73.0 (assigned to site London)
192.168.30.0 (assigned to site Amazon)
192.168.82.0 (assigned to site London)
DC13 and DC14 are in main office while DC15 and DC16 are in Cloud. So basically there should be four sites; Local, London, Paris and Amazon (I am calling main office as Local site).
I think I will need to create a new site and name it Local. Then change subnet 192.168.172.0 and 192.168.173.0 to this new site Local. And move subnet 192.168.82.0 to siteParis. I have never worked with sites and services before, so unsure about this. Could you guys let me know if this is what it should be? Will I break anything, if I change the sites for subnet. If the proposed configuration is not correct,
what should it be like?
Also there is only one site link, i.e. DefaultIPSiteLink and all three sites are in this sitelink. Looking at my configuration could you help me what site link should I have.
Your help would be very much appreciated.
Regards,
Diwa
Hello, I have this scenario: I create a security group and delegate the creation/deletion of computer objects and organizational units objects on a root OU. On the root OU this works good, the users of the group can only create new computers and ous. But in the ous that they creates, they can delegate full controll for themselves and can create any object in those ous. On the root ou they can not delegate control because security permissions. This is a bug, an expected result?
Windows 2012 R2
Dear all,
during the last 6 weeks my users a faced with a strange issue. I'm not clear about where to start looking about as my result for current queries to this Forum and Google do not deliver adequate results.
If I queried Active Directory at a customers forest I receive different results on properties for exactly the same queries. Usually we have Citrix Storefront in place, and we are granting permission on a value usually stored in the users "carlicense" property. I'm very sure that I do not have replication issues, as far as I can see from dcdiag/repadmin replication is fine.
The Problem came up first when some users reported Problems with that application, but it Looks like that issue is Independent from an application, as I can also get the misleading result from Powershell and dsa.msc as well.
If you query AD like that:
get-aduser Martin.gudel -Server somedomaincontroller -properties carlicense
you will receive a Default Output including the "enabled"
What you can see from the screenshot: in the 1st query there also is a return value enabled true as well as the carlicense property. The second query does not contain any of These properties. Especially I wonder for the enabled true is missing.
Any explanation for that? Thanks for any hints.
Regards,
Martin
Taking over an AD migration project, and have two forests in the same company. The idea was setup a new forest and migrate over the domains from the other forest to this new one. It has its own DC's and a two-way trust is setup between the two.
Many AD objects have already been duplicated and created in this new forest. User accounts exist but are disabled. Permissions from both forest have already been set on things like file shares.
However there is an Exchange 2013 server in the *old* forest and no plans to setup an Exchange server in the new forest. This has been the sticky point, getting mailbox and calendar permissions working from the new forest for a user. Following this: https://technet.microsoft.com/en-us/library/aa998221(v=exchg.160).aspx tried setting “LinkedMasterAccount” to $null, which will convert the mailbox back to a non-linked account to disassociate the permissions on the mailbox to set to the new forest, but didn't work out yet...
The plan is to migrate a user at a time: join the new forest, login to create a Windows profile to the new domain, test file shares, run ForensIT Profile Migration Wizard (https://www.forensit.com/domain-migration.html) to migrate the profile, and setup an Outlook profile to get the user's same mailbox synced up again.
The Exchange piece hasn't been totaly ironed out. Thoughts?
-Ed
I am looking at the Zerto product for a disaster recovery option. I am wondering how this would work with DCs. If we let the Zerto product replicate (asynchronous replication at the hypervisor level) to a "failover VM" at the DR site, how will this work with Active Directory's built-in replication?
I'm curious if anybody has any experience using either Zerto or RecoverPoint (which uses a very similar methodology as Zerto) for VM replication of DCs?
Dear Sir,
I am getting the below error on Domain Controller, please help to resolve it..
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.Hi Guys
Has anyone ever seen placing domain controllers from different domains of same forest being placed in same (one) Active Directory site.
If it's possible, what's the use case of this scenario (where it is used / required).
Thanks
Taranjeet Singh
zamn