Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

GET-ADUser, enabled and disabled users..AND NULL users...

September 11, 2015, 6:57 am
$
0
0

I´m trying to grab a AD listing, with the enabled/disabled status for all AD users (with some minor excpetions)

in 4.000 users more than 140 shows the Enabled/Disabled status as NULL

The powershell command, and even targeting a diferent DC, the result is the same

Get-ADUser -server srv-dtc-018 -Filter 'samaccountname -ne "administrator" -and samaccountname -ne "krbtgt" -and samaccountname -like "*" -and samaccountname -notlike "svc-*" -and samaccountname -notlike "*-adm"' -properties samaccountname,enabled,name | ft samaccountname,enabled,name -A

The other Get-ADUSer command, but using Select-Object, shows the same problem:

Get-ADUser -server srv-dtc-018 -Filter 'samaccountname -ne "administrator" -and samaccountname -ne "krbtgt" -and samaccountname -like "*" -and samaccountname -notlike "svc-*" -and samaccountname -notlike "*-adm"' -properties samaccountname,enabled | Select-Object -Property samaccountname,enabled 

I noticed that most of the NULL users are DISABLED users, but the Get-ADuser can´t detecte the user was disabled?

EXAMPLE OF THE OUTPUT:

samaccountnameenabled


lcaldasFalse
aaheleno
ABARBOZA
acaraujo
ACOMERIO
acronis
ALARIBEIRO
fcarneiroFalse
shipolitoTrue
acgoisTrue
voliveiraTrue

...

...



Search

Domain controller server crashed!

October 3, 2016, 12:34 am
$
0
0

Dear,

I have Server (VMware machine) with Win 2008 R2 OS work as Domain Controller with DNS, Active Directory and DHCP roles active on it..

It was working perfect for 3 years with Symantec End Point Protection Anti Virus, But it was hit by XTBL virus which crashes all system files and change thier extensions to .xtbl !

I decide now to solve the issue by creating another VM to act as backup server and replicate DNS, AD and DHCP to replace the old effected one.

What do you think about this solution?

If this is OK.. what is the best way to do it safely without effecting the users?

If this is not the best solution.. Could you advise please?

Thanks.

Alaa Shantaf

Tel: 00966560758080

email: aloosh02@hotmail.com 

The "Desktop Wallpaper" Group Policy setting is not applied.

September 22, 2016, 11:41 am
$
0
0

Hi Sir / Madam,

I am vivek Dwivedi. i tried to several time "apply the desktop wallpaper group policy in windows 10" but i m not succeed. after join the under domain(windows server 2012 r2) all policy are working accepting desktop wallpaper policy is not working on windows 10 client system. but this policy is working on windows 7 client system. plz sir reply sir / maam.



There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.

September 26, 2016, 11:13 pm
$
0
0

Hi,

I'm implementing adfs for one of our customer

When I tried to access https://sts.<company name>.com/adfs/ls I'm receiving the following error.

Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Any idea??

Thanks..

Active Directory Administrative Center - tabs missing in user properties

October 3, 2016, 2:40 am
$
0
0

Hi,

Over the last week or so, I've noticed that the tabs in the Extensions section of a users properties in ADAC are missing.  The only displayed tab is the COM+ one.  This has been fine for around a year but has suddenly stropped working.  This is only the case in user properties, in other object types the tabs are displayed OK.

Can anyone help?

Thanks :)

AD LDS (ADAM) don't sync mail enabled groups

September 27, 2016, 6:23 am
$
0
0

Hello everyone,

there is AD build on Windows Server 2012 R2. From that AD the other server (same OS) placed at DMZ should be syncing users,groups,OUs to its LDS database.

Users are synced properly.
OUs are synced properly.

But only GROUPS created in AD (without mail address) are synced. The mail-enabled groups are not synced. It doesn't matter if groups is global or universal.

What is our last idea, to be tested, if the situation gets better after we extend LDS schema....

Does any of you met similar issue, or do you have ideas?

Thank you !


Content Freshness in DFSR

September 29, 2016, 5:05 am
$
0
0

Hi,

Just want to know, what will be the possible impact if we do not enabled Content Freshness/MaxOfflineTimeInDay in DCs

link contact to user??

September 28, 2016, 9:14 am
$
0
0

is there a way to link a contact to the corresponding user account?    we want to create a bunch of new Contacts in AD, and each contact will correspond to an existing user account in AD.   

User ID: John Q. Public

Contact: John Q. Public

Or are they always going to be separate records within the AD database?

mqh7

Search

Raising Functional Level with Combined DC+CA

September 28, 2016, 2:04 am
$
0
0

Hello All..........We have a Domain Controller that is also hosting Root CA Server based on Windows Server 2008.  The DC does not have any FSMO Roles.  This is the only DC that is based on Windows Server 2008; all other DCs are based on Windows Server 2012.

Question:  We want to raise the Funtional Level to 2012, but we are unable to do so because of the presence of Windows Server 2008-based DC.  We have tried uninstalling the DC Role from the server, but it does not allow as it is running the Root CA as well.  What can be the possible solution to this?

Logonserver variable filled, but user NOT logged to that server

October 3, 2016, 5:57 am
$
0
0

Recently for no reason lots of my users seems to have problem with SSO (for Internet access)

I narrowed it down to the fact that user (on Windows 7 x64) logs in to domain (Server 2012 R2), variable logonserver does get filled, so it looks like the user is logged in to this server, but in fact on the server itself the user is NOT authenticated/logged in

Used PSTools/PsLoggedon64 on Domain Controller in question.

But it is not just one DC, it could be ANY in my environment.

Never seen anything like that previously

Anybody any idea?

Seb

Active Directory JRNLWRAP Error

October 2, 2016, 6:03 am
$
0
0

Hi,

The primary domain controller in our estate is currently in Jrnlwrap. This is the first time this has happened and I suspect it was down to an unscheduled reboot. The domain controllers do not use DFS for some reason they use the older FRS.

there are 10 other domain controllers non of which have any issues.

OS 2008 R2

Functional level 2008 R2.

The suggested fix and one which I intend to apply is the Burflags D2 fix. I would like some advice regarding this.

1. Some forums suggest the B2 fix will stop the domain controller servicing clients is this true? (I understand sysvol etc will be unavailable)

2. From what I can find there is no reason to move the FSMO roles would anyone suggest otherwise?

3. If the Burflags d2 fix does not work I may try the D4 fix, as above should I move the FSMO roles etc?

Any other gotchas?

Thanks

Branch office AD connectivity

September 20, 2016, 6:42 am
$
0
0

Hi, we have a number of branch offices, or remote data centers rather, where some of the networks are not routed (for various reasons) over the WAN link to the central data center. The remote data center has two RWDCs from the central domain in order to authenticate users and provide domain join functionality etc. These RWDCs are on networks with routes to both the central site as well as the local, non-WAN routed networks. We have AD sites setup with all subnets for all remote data centers as well as the central data center with site links setup in a star topology, all remote sites replicating only to the central data center.

In some scenarios, particularly domain joins, where the client does not yet know its AD site belonging, it will of course query DNS to locate any AD server in the domain. I assume the SRV records in e.g. _ldap._tcp.dc._msdcs.<domainname> will be used. But since these records contain AD servers from other sites, is there a best practice on how to force the domain join to occur towards the local RWDC only? Use "netdom join /domain:domain\dc" seems to be one option but may not work in all install scenarios.

Schematic picture:

AD roles are still showing in server manager after demotion.

October 3, 2016, 5:09 am
$
0
0

Hi,

I had a additional domain controller and there was some problem in same. So I decided to demote and repromote it. And I demoted it withdcpromo/forceremoval command. But after reboot I am getting all AD services such as AD, DNS installed but services are in dsiabled mode. Even I tried to remove manually fromremove roles option from server manager but I am unable to do it.

Kindly help on it.

Regards,

Jitendra

Login Problem

October 3, 2016, 10:20 am
$
0
0

When the user logs onto their computer they get a warning stating that their password has expired and they need to change it.  The user attempts to change the password but when they put in their old password and put in their new password and hit enter they get an error stating "Logon failure, the specified account password has expired". password policy is defined. maximum age is 30 days. minimum password is age 0 days.

server 2003 and windows 7

LDS: Map 'msRTCSIP-PrimaryUserAddress' to 'mail'

October 3, 2016, 10:44 am
$
0
0
I am looking to see if the following scenario is possible. 

I have AD successfully syncing users into a LDS instance. In active directory, the users have their 'mail' attribute configured as their email address, and the 'msRTCSIP-PrimaryUserAddress' attribute configured as their SIP address for Lync. The users that are syncing into the LDS server will be migrating to Cisco Jabber and I am forced to use the 'mail' attribute for everything within the Cisco environment. Since I will be federating Cisco IM&P/Jabber with Lync, I need to be able to lookup users by their SIP address. The only solution that I can come up with would be to map the 'msRTCSIP-PrimaryUserAddress' in AD to their 'mail' attribute in LDS. 

Is there something that can be done during the user sync? Or, maybe a powershell script?

Any help would be appreciated. 

Thanks,
Adam
Search

Introducing a Windows Server 2016 Domain Controller

October 3, 2016, 9:15 am
$
0
0

Our domain controllers are currently Windows Server 2012 R2 and Windows Server 2008 R2.

Our Domain Functional Level is still Windows Server 2003.

Our Forest Functional Level is still Windows Server 2003.

We have one Windows Server 2003 R2 Terminal Server that we hope to FINALLY have retired in a few more months.

We have an Exchange 2010 server.

All workstations are Windows 7.

We would like to replace our Windows Server 2008 R2 domain controller with a Windows Server 2016 domain controller.

Does anyone see any issues with having a 2016 DC in the above domain?

JamesNT

ATTENTION MODERATORS: I do indeed mark responses as answers after I have had time to test said response and verify that it works. Please do NOT assume you speak on my behalf by marking responses to my questions as answers. Mass-proposing responses as answers gets on my nerves, too. Thank you.

DNS not resolving to the good mail server

October 3, 2016, 11:26 am
$
0
0

Hi, I got a problem here I hope someone could help me with.

One of my customer have a window server 2012 standar 64 bits.
It's a bussiness with a single server doing the AD.

Got a AD already configured and working. His domain mail server
is hosted by the ISP. The ISP just changed/updated all his mail server.
Since then my customer won't receive his mail. At my shop we got the 
same ISP. Doing the ping command for the mail domain from my shop
and from my customer server and both ended on the wrong server.
Contacted the ISP he told me something hasn't updated right and
now it will be ok. The ping from my shop is now ok but not from my
customer server.

I've tested something else. From the IP comfiguration of the server
in the advanced / dns tab, put the ISP DNS in front of the 127.0.0.1,
done the flushdns command and restarted the dns service and now 
the ping command ended on the good one. 

I was always old that my main DNS server should always be the server
itself in those kind of configuration else all things tried to be accessed from
the network will be slow. The ISP DNS should be secondary one.

Of the thing i've tried : flusdns command +  restarting the DNS service + disabled
the IPV6 on my nertwork card. 

Anybody able to help me with this problem ? I really don't know what to do or
check next ?

Any help will be appreciated.

Eric P.


Account Operators Question

October 3, 2016, 12:49 pm
$
0
0
When a new group is created, the Account Operators group is automatically added to the Security of the new group. Is there anything anyone can think of that would cause this group not to be added to the Security of a new group?

Reverse DNS timestamp mismatch on different DNS server

October 3, 2016, 1:03 pm
$
0
0
I noticed recently that the reverse DNS entry timestamps differ between my domain controllers.  The local DNS server has the correct timestamps, but other domain controllers in my environment may have a timestamp that is years off.  This is happening across all 4 of my DC's.  Any ideas as to what may be causing this?

Local account do domain, retain Office 365 license

September 30, 2016, 6:37 am
$
0
0

Hello fellow geeks,

I plan to join workstations to domain, and some of them have MS Office with Office 365 accounts, my question is will there be need to reapply licencse again if I add computer to a domain, and local account won't be used anymore, but an domain account. Or if I just convert local profile to domain profile, will everything stay the same.

Any help is welcome, thanks :)

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>