We have Windows 2008 R2 domain controllers, SCHEMA 2008, Function Level 2003. Just changed Minimum Password Length from 7 to 8 Characters however users can still set PWD to 7 characters. Checked the GPO and shows the policy has PWD MIN Length of 8. We are only using the DDP to push Password Policies.
Any advice would be helpfull.
SK
Hi
how to set "PasswordNeverExpire" in Active Directory from C#?
Please let me know how
Here is my code
|
hi,
currently our AD using a Primary DC (with DNS service) and an Additional DC (with DNS and DHCP services on) with user around 1000
is there any way to view how much load each server get? for example whether we need a third one or no
or i just need to see CPU load in task manager?
because in the next few months our developers will deploy an app which using LDAP as their authentication library (single sign-on) and i need to know whether our AD still viable (capacity wise)
all servers (AD and app) still run on the same network
Thank You
Hi,
Just migrate my Surface 3 tablet to Windows 10 Pro to use it whit my active directory domain (2012 R2).
Have several Windows 10 client on my network, that working fine. All of my client have the same configuration (langage, software install, DNS etc.). The surface is linked by a VPN to my server (not at the same place, using it at home for work), have two desktop computer in Windows 10 running in VPN whit no any issues.
When i log on using my personnal profile, alway get The universal unique identifier (UUID) type is not supported after about 30 minutes (time to first load my profile). No any issues whit all other user profiles in the tablet. No issues whit my profile in all other clients.
What i've try:
-Factory reset the tablet, keeping my files. After that, Windows said me i was logged in whit a temporary profile, and all change will be lost because Windows can't locate the local profile.
-Factory reset without keeping any files. Sames issues.
-Fresh install of Windows 10 whit an USB key. Wiping everyting, clear the partition and create it again. Now i can't open this sessions, always getting this message (The universal unique identifier (UUID) type is not supported). Tryied two times, same issues...
Thank you for your help !
Hello fellow geeks,
I plan to join workstations to domain, and some of them have MS Office with Office 365 accounts, my question is will there be need to reapply licencse again if I add computer to a domain, and local account won't be used anymore, but an domain account. Or
if I just convert local profile to domain profile, will everything stay the same.
Any help is welcome, thanks :)
Hi there... I am getting the above mentioned error with the
Description: dows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
Full message is -
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 5/15/2012 1:18:44 PM
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
User: NT AUTHORITY\IUSR
Computer: Server.domain.com
Description:
The description for Event ID 10016 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on
the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
application-specific
Local
Activation
{2D527A8C-A4B6-4E74-A63F-E867360D401C}
{B13EFBAE-7504-4938-9ED7-8E8B53E51221}
NT AUTHORITY
IUSR
S-1-5-17
LocalHost (Using LRPC)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10016</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-05-15T19:18:44.000000000Z" />
<EventRecordID>43121</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Server.Domain.com</Computer>
<Security UserID="S-1-5-17" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Activation</Data>
<Data Name="param4">{2D527A8C-A4B6-4E74-A63F-E867360D401C}</Data>
<Data Name="param5">{B13EFBAE-7504-4938-9ED7-8E8B53E51221}</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">IUSR</Data>
<Data Name="param8">S-1-5-17</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
</EventData>
</Event>
Please let me know any solutions to fix....
Steps, I did try from one of the blogs -
Open Component Services. Got oStart --> Control Panel --> Administrative Tools --> Components Services. Expand the Component Services branch then expand Computers, My Computer and DCOM Config. Right-click on "sms agent host" (my case) and click Properties. Click on the Security tab and under “Launch and Activation Permissions” select "edit" and add user Local Service (Local lunch). Click OK, close the Component Services window.
In the Launch Permission dialog box, make sure that the Everyone group has Remote Launch and Remote Activation permissions.
In the Launch Permission dialog box, make sure that the SMS Reporting Users local group has following permissions:
Local Launch / Remote Launch / Local Activation / Remote Activation
Also added Remote Launch / Remote Activation permission for Network Service (for the SMS_Reporting_Point)
Added Admin Group to the "ConfigMgr Remote Control Users"
VT
Hello,
At my workplace, we have an AD LDS POC environment set up with 2 servers. When the AD LDS replication was setup between the 2 servers, it was configured with a user account.
Is there anyway or a URL on how to change the AD LDS replication account? We were thinking about having the account as a gMSA instead.
Thank you in advance.
My internal top level domain suffix is .local.
I need to enable LDAP over SSL on one of my DCs to allow an LDAP client on the internet to sync with Active Directory.
I need to have a cert issued by a public certificate authority with the FDQN of my DC so that a LDAP client on the internet can sync with my Active Directory.
Say my internal domain is: fabrikam.local
Say my internal FQDN of my DC is dc1.fabrikam.local
Say my external domain is: contoso.com
I followed this kb https://support.microsoft.com/en-us/kb/321051 and created a cert with a FQDN of dc1.contoso.com
The LDAP client documentation says the cert needs to have the DC's FQDN on the cert
The LDAP client authentication is failing, I'm assuming it's because the FQDN on the cert doesn't match the server's FQDN. Is this a correct assumption? If, so is there any way to make this work?
Hi Everyone,
I am getting a weird error for which I am having a hard time troubleshooting. The environment has 3 domain controllers, DC1 DC2 and DC3. I am getting errors when performing manual replications, I am getting access denied when opening a GPMC (as well as ADUC, Sites and Services, etc) console when connected to another DC.
DC1 and DC2 have trouble connecting to the other domain controllers. I am unable to force a sync from these domain controllers using repadmin /syncall.
Here is the result of a repadmin /syncall on DC1 and DC2:
CALLBACK MESSAGE: Error contacting server a9326fa6-e465-4a55-8fe4-143f4d2100e8._msdcs.fqdn.com (network error): 5 (0x5):
Access is denied.
CALLBACK MESSAGE: Error contacting server 3dc7a026-c031-4bdc-915f-f200e0aebcba._msdcs.fqdn.com (network error): 5 (0x5):
Access is denied.
CALLBACK MESSAGE: Error contacting server 83ce846e-4d0a-485e-a414-4ac5abc39bc5._msdcs.fqdn.com (network error): 5 (0x5):
Access is denied.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.
from DC3 to DC1 and DC2 this works fine.
repadmin /showrepl on each DC shows successful for all directory partitions.
From DC1 and DC2, here is the result for repadmin /bind DC3
Error: An LDAP lookup operation failed with the following error:
LDAP Error 49(0x31): Invalid Credentials
Server Win32 Error 0(0x0):
Extended Information:
Does anyone have an idea on how I can further troubleshoot this?
Hi Experts
i have strange issue .
i have 28 branches with RODC installed with DNS DHCP windows Server 2012 and R2 mixed .each RODC is in its own Site .
i have 4 RWDC 2 in Head office and 2 in other branches with windows Server 2008 R2 Installed .
i have clients windows 7 and some windows 10 .
the issue is that every user in HO that i am seening is authenticating from Branch RODC Most of my branches are shutting down their DC after 4 Pm because of electricity issue due to which user is facing Trust Relationship issue .
the other issue is that None of our user can change their password when it is expired . except the user whom user and computer attribute (msDS-AuthenticatedAtDC) manually set to our PDC .
Team,
Strange issue with the KRBTGT_xxxx account which read only domain controller have individually, on couple of domain controllers. If you search for the account within the domain controller it is missing, while the same is available in the writable domain controller when searching. Issue is that the KDC service is not starting in these 2 RODC's. If you try to start them, the error says that "insufficient resources" also seeing the event id 7 on the system log followed by event id 7203. Any help is appreciated. Went through many forums etc with no luck , reboots done, no patches past 2 months, also reset the RODC secure channel using the NETDOM command available with no avail.
Let me know if more logs required
I have two Windows Server 2008 R2 Enterprise Configured as GC server. However the y are not seeing each other via there Dns Records. i keep on getting dns connection error on the secondary server when i run the "dcdiag.exe any help.
Am able to ping both server from each other.
Server 1 dcdiag.exe Report
Directory Server DiagnosisServer 2 Dcdiag.exe Report
Hello Support,
I have configure Active Directory Domain server is not resolve one of my url but when I change dns server local ip to 4.2.2.2 after that it is working.
Please suggest how to resolve dns
Hello Support ,
I want to I want to Restrictions Access group wise in adfs 3.0
Group A member only allow to external access outlook client
Group B member only allow to external access outlook client & mobile
Group c member only allow to external access Skype for business on mobile
group D share point is block for all external access
I want to archive with claim rule . Please help me
Dear Champs,
Im designing a hybrid solution for a client to host email+data and office 365, but want to keep a virtual machines dedicated locally in the region for AD sync. The system will have upto 700 users by next year. My question is if i setup an AD server in a datacenter IaaS provider, as a VM and setup VPN between the head office and the datacenter with routing and VLAN's inplace! What bandwidth should I be looking to throttle or in other words quota setup on the VPN, I am planning to keep a 2Gbps internet line. Please note this office will also connect to internet for Office 365 activity.
Also please let me know your ideas on using ForcePoint (websense) on office 365 and on the VM as the data is critical and DLP is required.
Any case studies for this scenario.
Many thanks
Exchange Rocks
I was called in to look at replication errors for client. They have two DCs, one 2008R2 DC (PFIDC01) and a 2003 DC (PFISRV02). Replication is not working and giving the tombstone warning. It says replication hasn't worked since 2009 which I find hard to believe.
The 2008R2 server holds all the FSMO roles.
I've read the best way to fix this would be to force removal of the tombstoned DC which I'm fine with and I want to get rid of the 2003 anyway, but how do I know which DC is the tombstoned one? In other words, which DC should I forcibly remove?
Does it matter? I would obviously prefer the demote the 2003 server so I don't have to seize roles.
I am able to create users on each DC but obviously they don't replicate.
Below is the /showrepl command from each DC. Any help would be greatly appreciated.
===========================================================================
U:\>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\PFIDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 42da0d85-f40c-4743-b953-536e1796369d
DSA invocationID: b872e3b5-b3a9-44ee-a754-8eef8e0dfbbe
==== INBOUND NEIGHBORS ======================================
DC=provimiveal,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
15269 consecutive failure(s).
Last success @ 2009-10-02 06:39:17.
CN=Configuration,DC=provimiveal,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2841 consecutive failure(s).
Last success @ 2009-10-02 06:09:10.
CN=Schema,CN=Configuration,DC=provimiveal,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2838 consecutive failure(s).
Last success @ 2009-10-02 05:53:35.
DC=ForestDnsZones,DC=provimiveal,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2836 consecutive failure(s).
Last success @ 2009-10-02 05:53:35.
DC=DomainDnsZones,DC=provimiveal,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2836 consecutive failure(s).
Last success @ 2009-10-02 05:53:35.
Source: Default-First-Site-Name\PFISRV02
******* 15268 CONSECUTIVE FAILURES since 2009-10-02 06:39:17
Last error: 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
================================================================================
U:\>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\PFIDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 42da0d85-f40c-4743-b953-536e1796369d
DSA invocationID: b872e3b5-b3a9-44ee-a754-8eef8e0dfbbe
==== INBOUND NEIGHBORS ======================================
DC=XYX,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
15269 consecutive failure(s).
Last success @ 2009-10-02 06:39:17.
CN=Configuration,DC=XYX,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2841 consecutive failure(s).
Last success @ 2009-10-02 06:09:10.
CN=Schema,CN=Configuration,DC=XYX,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2838 consecutive failure(s).
Last success @ 2009-10-02 05:53:35.
DC=ForestDnsZones,DC=XYX,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2836 consecutive failure(s).
Last success @ 2009-10-02 05:53:35.
DC=DomainDnsZones,DC=XYX,DC=com
Default-First-Site-Name\PFISRV02 via RPC
DSA object GUID: a9176f7a-918b-4225-9c69-cfba7cc5a3b8
Last attempt @ 2016-10-01 20:50:07 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
2836 consecutive failure(s).
Last success @ 2009-10-02 05:53:35.
Source: Default-First-Site-Name\PFISRV02
******* 15268 CONSECUTIVE FAILURES since 2009-10-02 06:39:17
Last error: 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
Hi,
We have two different domains (Domain A & Domain B) with two way trust, how we can rejoin computers that member of Domain A to be member of Domain B automatically?
I purchased several Ultrabooks with Windows 10 Home on them. I upgraded them all to Windows 10 Pro. I successfully joined them to the domain and added the domain admin account as an administrator on the local machine. However, after reboot after the join, I cannot login as the domain administrator, nor as any user on the domain--I can only log in as the local admin account from which I worked when I first received the machines. The only "error" I get is that the password is incorrect--that's it. The password is correct, in the correct case, etc. It works on all other machines except these Windows 10 upgrades (there is another Windows 10 machine on the network from a purchase several months ago, and it works). I have re-joined a couple of machines a couple of times. Have done that with both wired and wireless connections--same result. Have even tried external keyboards--no difference. Any ideas what the issue is here? Domain has Windows 7, 8.1, and Windows 10 machines working correctly on it.