Hi,
I'm performing a cross forest migration with ADMT v3.2 over the course of several weeks.
I have successfully migrated user accounts and mailboxes from source to target with additional powershell scripts.
My question though is how do I ensure group membership is updated between source and target domains DURING the course of the migration?
Do I just run the Group wizard again (wth includes file) in ADMT? If so which tick boxes do I select?
Is there a better way to do it?
Thanks
Nathan
Hi
I have just installed the evaluation version of Windows Server 2016 RTM (released in the last week of September) and want to set up a new forest that could possibly end up being used in production (if the evaluation goes well).
However when I go to configure the first domain controller in the forest the highest functional level available in the drop-down list is'Windows Server Technical Preview'. I was expecting to see something like 'Windows Server 2016' given that this is the evaluation version of the RTM software and not the technical preview.
I have double checked the version of the OS software (in case I had grabbed the wrong install set) but both winver and systeminfo state I am running 'Windows Server 2016 Standard Evaluation' - so I am pretty sure I haven't installed the TP5 version instead.
Does anyone know whether it is advisable to proceed with a production forest based on 'Windows Server 2016 RTM Evaluation' or do I have to wait until MS release another build?
Thanks in advance
I have a windows server 2008r2 domain called sl13.mycompanytest.biz. I am running powershell on the server as a user that is a member of the following groups : Domain Admins, Enterprise Admins, Domain Users, Schema Admins, Organization Management.
I have created an OU called Test (OU=Test,DC=sl13,DC=mycompanytest,DC=biz). This object is *not* marked with the protection from accidental deletion checkbox. I can create and delete this OU just fine with the ADUC control panel applet.
When I try to remove the OU using Powershell I get : Access is denied. When I look at the security tab for the entire domain (or the OU) I can see that enterprise admins has "full control" and all boxes checked, including all deletion options. However, when I click advanced and click on effective permission for the domain object (or the OU object), and enter the name of my administrative user (who is a member of enterprise admins), it shows he does not have full control and *none* of the deletion permissions are checked. If I enter the 'Administrator' username in the effective permissions box, I see the same thing : not full control, no deletion options checked. Both of these users can clearly delete anything they want through ADUC due to being members of enterprise admins, but for some reason, not through powershell.
Here is the powershell output:
PS C:\Users\nathan> Remove-ADOrganizationalUnit $ouToRemove -Recursive -Confirm:$false
Remove-ADOrganizationalUnit : Access is denied
At line:1 char:28
+ Remove-ADOrganizationalUnit <<<< $ouToRemove -Recursive -Confirm:$false
+ CategoryInfo : PermissionDenied: (OU=Test,DC=sl13,DC=mycompanytest,DC=
biz:ADOrganizationalUnit) [Remove-ADOrganizationalUnit], UnauthorizedAcces
sException
+ FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDirectory.Manag
ement.Commands.RemoveADOrganizationalUnit
So several questions:
1)Why would my effective permission differ in powershell and ADUC?
2)How in the heck would anything override the permisson of the "enterprise admins" group to deny it delete permission?
3)How Do I fix this? I see that there is an "everyone" user who is specifically denied all delete permissions, but that should not overwrite my enterprise admin privileges should it? And if so, why does it only overwrite them through powershell but not through ADUC?
Hi,
I've SID for one of the computer and want to know the hostname or IP of that computer.
Is there any way to get this?
Thanks in advance!
vicky
Hello,
We are using ADFS 3.0 in our organisation, but one of our customers has Windows 2008 R2.
We have only tested ADFS 3.0 with another ADFS 3.0. I was wondering if a deployment with ADFS 3.0 and our end, and ADFS 2.0 at the customer's end would work?
Regards,
P.
Hello,
We have a virtual infrastructure with 2 Domain Controllers present (DC1 and DC2 for reference). DC1 holds all FSMO roles and is server 2012. DC2 holds the Certification Authority Service and is server 2008.
The person that was performing the Windows updates last week had issues with DC2 updates and could not access the server. As a precaution, the user created a snapshot of the server before the updates on DC2 and reverted it once they could not access the machine. It has been discovered that, since this has been done, there have been DC replication errors.
On DC2, I ran the command "repadmin /syncall /AeD". Every answer came back with the message "SyncAll terminated with no errors."
I then followed the post that was marked as the answer in the topic https://social.technet.microsoft.com/Forums/windowsserver/en-US/459fbea4-0380-4e8e-b32c-072ad0256d81/netlogon-service-stops-after-ever-restart-on-dc?forum=windowsserver2008r2general which
mentioned to delete the registry key "DSA Not Writable"
(REG_DWORD) and its value is 0x4, located within "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" and then restarting the server might fix the issue. This removed the "The Active Directory Domain Services database
has been restored using an unsupported restoration procedure" error message, but I am still getting the "Outbound replication has been disabled by the user" and "Inbound replication has been disabled by the user" warnings.
The information I found suggested that I should fix the metadata for DC2 after forcing the server off the Domain with dcpromo. This is not possible due to the server running the Certification Authority Service. I would restore via backups but too much data had been written to the DC2 before this was discovered and a restoration of the server would cause too many issues.
Any ideas on how to get this replication working again? It has caused login issues when a server was trying to authenticate via DC2 before DC1 and unsure what other issues could be caused.
Thanks
Below are the error messages for this issue on DC2:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 27/09/2016 21:09:48
Event ID: 2095
Task Category: Replication
Level: Error
Keywords: Classic
User: DOMAIN\DC1$
Computer: DC2.DOMAIN.LOCAL
Description:
During an Active Directory Domain Services replication request, the local domain controller (DC) identified a remote DC which has received replication data from the local DC using already-acknowledged USN tracking numbers.
Because the remote DC believes it is has a more up-to-date Active Directory Domain Services database than the local DC, the remote DC will not apply future changes to its copy of the Active Directory Domain Services database or replicate them to its direct and transitive replication partners that originate from this local DC.
If not resolved immediately, this scenario will result in inconsistencies in the Active Directory Domain Services databases of this source DC and one or more direct and transitive replication partners. Specifically the consistency of users, computers and trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data may vary, affecting the ability to log on, find objects of interest and perform other critical operations.
To determine if this misconfiguration exists, query this event ID using
http://support.microsoft.com or contact your Microsoft product support.
The most probable cause of this situation is the improper restore of Active Directory Domain Services on the local domain controller.
User Actions:
If this situation occurred because of an improper or unintended restore, forcibly demote the DC.
Remote DC:
e989faee-3cda-4f2e-91c3-a20f993d4e55 (DC1.DOMAIN.LOCAL)
Partition:
DC=DOMAIN,DC=LOCAL
USN reported by Remote DC:
12876327
USN reported by Local DC:
12876192
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService"
Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
<EventID Qualifiers="49152">2095</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-09-27T20:09:48.271799500Z" />
<EventRecordID>7393</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="2184" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-3333000009-351869350-3691052627-6150" />
</System>
<EventData>
<Data>e989faee-3cda-4f2e-91c3-a20f993d4e55 (DC1.DOMAIN.LOCAL)</Data>
<Data>DC=DOMAIN,DC=LOCAL</Data>
<Data>12876327</Data>
<Data>12876192</Data>
<Data>Ignore USN Rollback</Data>
<Data>Dsa Not Writable</Data>
</EventData>
</Event>
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 27/09/2016 21:09:48
Event ID: 2103
Task Category: Service Control
Level: Error
Keywords: Classic
User: DOMAIN\DC1$
Computer: DC2.DOMAIN.LOCAL
Description:
The Active Directory Domain Services database has been restored using an unsupported restoration procedure.
Active Directory Domain Services will be unable to log on users while this condition persists. As a result, the Net Logon service has paused.
User Action
See previous event logs for details.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService"
Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
<EventID Qualifiers="49152">2103</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-09-27T20:09:48.287423500Z" />
<EventRecordID>7394</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="2184" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-3333000009-351869350-3691052627-6150" />
</System>
<EventData>
</EventData>
</Event>
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 27/09/2016 21:09:48
Event ID: 1113
Task Category: Replication
Level: Warning
Keywords: Classic
User: DOMAIN\DC1$
Computer: DC2.DOMAIN.LOCAL
Description:
Inbound replication has been disabled by the user.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService"
Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
<EventID Qualifiers="32768">1113</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-09-27T20:09:48.301094500Z" />
<EventRecordID>7395</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="2184" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-3333000009-351869350-3691052627-6150" />
</System>
<EventData>
</EventData>
</Event>
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 27/09/2016 21:09:48
Event ID: 1115
Task Category: Replication
Level: Warning
Keywords: Classic
User: DOMAIN\DC1$
Computer: DC2.DOMAIN.LOCAL
Description:
Outbound replication has been disabled by the user.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService"
Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
<EventID Qualifiers="32768">1115</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-09-27T20:09:48.301094500Z" />
<EventRecordID>7396</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="2184" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-3333000009-351869350-3691052627-6150" />
</System>
<EventData>
</EventData>
</Event>
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 03/10/2016 15:41:51
Event ID: 2103
Task Category: Service Control
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DC2.DOMAIN.LOCAL
Description:
The Active Directory Domain Services database has been restored using an unsupported restoration procedure.
Active Directory Domain Services will be unable to log on users while this condition persists. As a result, the Net Logon service has paused.
User Action
See previous event logs for details.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService"
Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2103</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-10-03T14:41:51.828125000Z" />
<EventRecordID>7527</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="2992" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
</EventData>
</Event>
Hi,
The PDC ran out of diskspace and I increased it and the initial logon problems disapeard. But DCDIAG reports the following.
Some objects relating to the DC PDC01 have problems:
[1] Problem: Missing Expected Value
Base Object: CN=PDC01 ,OU=XXX,OU=Domain Controllers,DC=xxx,DC=xxx,DC=xx
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
How do I fix it?
Running DCDiag on other DCs in the domain reports no issues.
Thanks for any input
Hi Guys,
I have an OU protected from accidental deletion (as per best practise).
I now want to delete this OU but obviously can't. What's the way to do this?
I've tried a few suggestions like Right click OU > properties > xyz but xyz does not exist.
My DCs are on Windows Server 2012 (both OS and functional levels). I am also logged in as domain admin.
Thanks
can anybody help me to figure out where are the NTLM Authentications/sec and Kerberos Authentications/sec in Windows 2008? I see that NTLM Binds/sec. This is probably the old NTLM Authentications/sec. Is that true? where is Kerberos Authentications/sec?
Thanks,
Serg
Hi all,
I'm facing an issue where there are 194 pics which need to be resized to 10 KB in AD
i wanted a script that will list all the pics that are > 10 KB in AD and will resize it automatically to 10 KB
Atleast if i can get a script to list all users with thumbnailphoto attribute > 10 KB with user details that would help
your reply would be appreciated.
https://gallery.technet.microsoft.com/office/Office-365-thumbnailPhoto-e2755b03#content
The above script only fetches the number of photos which are large but no usernames / emails fetched
tfernandes
What is UDP port 389 used for?
Answer = LDAP queries. But what I am trying to find out is what happens if this port\protocol combo is blocked on a firewall for example on the PDCE. What happens? what are the implications?
If I run c:>\temp>"portqry /n TargetServer /p TCP /e 389"
I get a stack of responses. If however I run "portqry /n TargetServer /p UDP /e 389"
"I get UDP port 389 is listening"
How's this for a guess? With DNS we enable port 53 on tcp and udp. I believe UDP is enabled and used if the DNS payload breaches that. that TCP can hold. So is the same thing going on here with LDAP UDP port 389 in that the payload is too much for TCP and so UDP get's used? I have searched Microsoft and can't see a reference to what it actually does or the implication of turning it off.
This is related to a problem I am looking at and not just a nice to know type thing.
Thank you for looking.
Hi all.
I have a few AD performance counters which I understand what they do and how to monitor them but I'm looking for some info on what is normal reading for the following 3 counters.
I understand the 'how long is a piece of string' argument but there must be some guidelines out there that indicate at what setting a problem could potentially arise???
Many thanks
Good day,
We have a file share that is accessed via DNS Alias of \\image
When I am on the server that is the host of this share and type \\image it will prompt me for credentials. If I type \\servername it will not.
Any ideas why that would be? When access it on another server or workstation I don't get prompted when accessing via the alias or the server name.
Steve J.
Hi,
I have created two sites ,but I have not assigned IP address to the "subnet" in active directory site and services because i am running both sites in same subnet ex. site A 192.168.0.1 and site B 192.168.0.2
I am getting below error during replication . please anybody can help me for this issue.
Thank you
Hi All,
Just a weird scenario we're experiencing now, we didn't have any changes on the server side or anything for almost 2 years but since last week 3-5 users are logged to another DC from the other site, the thing is we try all troubleshoot procedures we saw
on web, check all DC setup and it's all fine. We think that this is an isolated issue because not all users are affected. Is there something you can suggest to check or to troubleshoot it on the client side?
Thanks,
Ken
I write powershell scripts for my campus that run against a domain which is over 6 campuses. Here are the parameters:
We have 6 campuses with 2 to 8 techs at each campus.
All techs can create classes in the Distance Learning OU.
Each campus has a security group for their own techs.
All tech security groups have read access and change password access to every user in the Distance Learning OU.
Each class has its own OU, located under the Distance Learning OU, to hold its student users.
Each class is made by a tech, not necessarily only only 3-4 techs. Could be any of us.
The problem occurs when the tech that created the class is not at work and something needs to be fixed in that OU, or it needs to be deleted. Only the domain administrators group or the tech that created the class has permission to do that.
We don’t want techs on other campuses to be able to delete the classes that I create under Distance Learning, only techs from my campus. Boss thinks I need to fix the script that makes users for my campus, so that our campus tech group is the owner of the OUs that I create.
The AD structure looks like this:
Distance Learning
....Class Descriptor
........Class 1 (created by a tech in the TechA Group)
............Student 1
............Student 2
........Class 2 (created by a tech in the TechB Group)
We would like to make the owner of the Class 1 OU, the TechA security group.
This is what I know, so far:
To change the owner to someone other than yourself, you need the Restore Privilege.
The Restore Privilege contains the following access rights:
• WRITE_DAC
• WRITE_OWNER
• ACCESS_SYSTEM_SECURITY
• FILE_GENERIC_WRITE
• FILE_ADD_FILE
• FILE_ADD_SUBDIRECTORY
• DELETE
We would like to limit the privilege or rights to hit the smallest target possible so as to minimize the security risk. But from what I read, The Restore privilege is assigned via GPO on the host machine. So it would encompass the entire server!
I don’t know if all 7 rights are needed just to change the owner. Possibly we could reduce this requirement.
Assuming this privilege/right can be cut down to a manageable risk, I don’t even know how to assign Write-DAC, for instance, to a security group.
Before anyone asks, I have looked at delegation. But we create these classes and delete them, every semester. Maybe I just don't know enough about delegation, but I haven't found any information in delegation that would help with what we are trying to achieve.
You know, I am not a programmer. But for what they ask me to do, I really should be. (And be paid like one as well!) Any and all suggestions are welcome.
Dear All,
I have Window 2008 R2 File Server Fail over cluster which is having in Production. As part of DR fail-over test I have created another standalone Windows 2008 R2 Server with File Server role enabled.
Currently File Server disk (Disk) replication to DR with 3rd party product and during fail-over productioncluster role offline and attaching production disk to DR standalone machine.(with same disk signature & re-sharing the folder with-No permission issue)
Once disk attached to the DR host then changing the "Cluster Role - DNS "A" record IP Address pointing to DR Server.
When the users are trying to access user Home folder or shared folder using SMB access users are getting access denied error. I Tried the \\hostname and FQDN (the access denied error. )
when i login to any workstation or Server with local administrator I can access same SMB using \\hostname and FQDN it's working fine.
More over when I disable the cluster role computer object domain user can access.
Any idea about the access denied error.
Hey
We have active directory setup with the users etc but we want to be able to use it to login to our macs.
I've set it up so far so that you can login to active directory and the test mac computer is connected to the domain etc
but what I want to be able to do is share the files accross both platforms.
How can you setup active directory so that when you save something on your profile it then syncs and loads on the mac desktop or any other computer so that you have all your files, basically a roaming profile. We don't want files stored on the mac, we want them stored on the server.
Hi Everyone,
When I log in to my college's domain it tells you the status when logging in for example 'Please wait for the user profile service' then 'Applying mapped drives policy' etc. When I logon to my newly created domain at home it just says 'Welcome' how can I get it to show it's status when logging in for example 'Please wait for the user profile service'
Thanks
Nicholas
@NicholasHayman