Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

home folder for each aduser

October 29, 2016, 9:43 am
$
0
0

our teacher gave us an assignment to create a folder for each user in active directory for example username "bob 2" folder name bob 2 he gave us script that look like this:

$folder=get-aduser -searchbase "ou=finance,dc=adatum,dc=com" -filter * | select-object {$_.givenname}

$folder > folder.txt

$users = get-content "c:\folder.txt"

foreach ($user in $users)

{

$newpath = join-path "c:\adatum\finance\fusers" -childpath $user

new-item $newpath -itemtype directory

}

i tried to use the scriot serveral times but the only result i get is the creation of 2 folders in the target path one name givenname and the other ....... what should i change in the scriot in order for it to work

Search

Domain Controller few test are getting timedout

October 29, 2016, 12:53 am
$
0
0

Hi,

Can anyone tell me what could be the cause of these timeout error.

Netlogons Test TimeOut
Replications Test TimeOut
Advertising Test TimeOut
FSMOCheck Test TimeOut
KccEvent Test TimeOut
FrsEvent Test TimeOut

When I run " dcdiag /q /e /skip:systemlog" I got below message.

DC Failed test Connectivity Both IPV4 and IPV6 channels are disabled on all adapter cards of the local server. Hence no connectivity to the server.Got error while checking LDAP and RPC connectivity. Please check your firewall settings.




Error 1053

October 29, 2016, 11:55 am
$
0
0
I have a DC running on windows server 2012 R2 now I have this error message and users can't logon to there computer's (This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.)

Where can we use Managed Service Accounts? (gmsa)

October 30, 2016, 8:32 am
$
0
0

As GMSAs are quite old now, is there any matrix, table oder something that gives us an info where the use of Gmsa is supported in the Microsoft world?

I know that's supported in SQL Server, but whats about System Center for example?

Regards, Michael

Format AD and Reinstall Win Server 2012

October 30, 2016, 5:03 am
$
0
0

HI 

I have AD old server 2008 R2 and i want to format it and install win server 2012

and in my company i have 35 users connect to AD 2008 ( I don't make and roles or group )

NOW .. when i format how i will Re join the 35 user to new server 2012 

Thanks 

Why ADFS comunicate with SAML2 token

October 31, 2016, 2:12 am
$
0
0

Hi,

is posible to setup ADFS to communicate with SAML2. in communication a see only saml1 token

I use Windows Server 2012 R2.

Thank for response

List all users in department (with wildcard)

October 31, 2016, 2:00 am
$
0
0

Hi

Need to get a list of all users in some departments, but problem is that some of the departments got "?" in them because of international letters.

Is there a way to list all users in a department while search for just one of the words in the department description?

SHA1 Certificate Template on Windows Server 2008R2

October 31, 2016, 5:55 am
$
0
0

Hello all,

We have a Windows 2008R2 Server that is acting as a certificate authority in our local domain. This originally went in because we had a few sites that were only running internally and our application team wanted SSL certs to be applied to the sites so we stood up this server in order to process these cert requests

The issue is that the hash algorithm is using SHA1 and needs to be changed to SHA256 as SHA1 is on its way out the door.

I am not concerned about the certs that we have manually distributed, but it appears pretty much every domain attached machine has also been issued a certicate using the "Computer (Machine) template.

If I look to change the hash algorithm from SHA1 to SHA256 - do I have to be concerned about these machines or will they just get re-issued a new certificate when to need one?

Thanks

Mike


Search

Enabling inheritence from Parent

October 31, 2016, 1:42 am
$
0
0

Greetings

Got a task to enable inheritence on all users in a OU. Is there a way to do this with Powershell for a spesific OU?

Windows Server 2008 R2 and ShadowCopy

October 31, 2016, 9:11 am
$
0
0
Hi,
I have a very strange behavior with Windows Server 2008 R2 and ShadowCopy.
As far as I known, shadowCopy, can be enabled or disabled only on local server drives. Shadowcopy is not working on a remote share.
My Windows Server 2008 R2 witch is connected to 5 shares of a NetApp appliance. The 5 shares are NTFS formatted. Those 5 shares are then added in the domain. Those 5 shares are managed with a GPO to be mounted on user's profile.
When I connect to a user profile from a Windows 7 computer (the computer is connected to the doamin), when I do a right click on the property of the shared drive, I see the shadowcopy is working and available. Since the shares are connected throught the user's profile how this can be possible ?
If somebody has an idea how to turn this "feature" OFF, he will be welcome.
Thanks
GG 

Event ID 1083 and 1955 Directory Service Log

October 31, 2016, 8:46 am
$
0
0

The event ID 1083 and immediately followed by 1955 has been occurring in the directory service logs on the domain controller that holds all the fsmo roles and this has been happening at least every three or six days intervals for this month October, 2016.

I noticed it did originally affected in active accounts but as at 10/28/18 it affected an active account and from suggestions from my search, the functional level is 2008 not 2003 since the 2 domain controllers are windows server 2008 standard.

Any idea of how to fix this problem

 

Need guidance on naming new schema attributes

October 31, 2016, 8:19 am
$
0
0

I've already added a new attribute to support storing generated local administrator account passwords for client computers. For that attribute, I used our full organization name, but now we're wanting to add 2 new confidential attributes and the names would be too long. I would really have liked to use the existing address/phone attributes, but sadly due to systemFlags they can't be flagged confidential.

Would it be 'wrong' to switch to using our generally-used organizational acronym for these next 2 new attributes? I know this AD isn't going to ever be merged with another; given that, is the primary concern when choosing new attribute names "don't choose one that might be added by a future release from Microsoft"? Like if I chose to omit any organizational identifier from the new attributes and chose 'Phone-Mobile-Primary-Confidential', then MS announced "Hey Server 2017 AD schema now includes 'Phone-Mobile-Primary-Confidential'" I'd be in trouble, right?

born to learn!

AD group domain migration - Powershell Script

October 31, 2016, 2:21 am
$
0
0

Hi,

As far as i know anything can be done via PowerShell. But i wanna try something and i don't know where to begin.

Basically we have an old domain and a new domain. Separate from one another, that have trusts.

In the old domain we have some groups with users in them. In the new domain we already have equivalent users and equivalent groups.

How should i go about making a script that can associate old groups with new groups, old users with new users, and add the new users to the  new groups according the old domain's format?

I don't really know where to begin. I can't seem to imagine a strategy for doing this.

Event ID 12294 - SAM database was unable to lockout account

January 5, 2016, 5:51 pm
$
0
0

Dear All,

in our organization, we prepared a DC added to existing single-domain as Secondary DC. when i run dcdiag, it gives me below two failures.

Starting test: DFSREvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.

......................... DC02 failed test DFSREvent

i understand this one because we did do a failover test last night which is within 24 hours, dc02 was offline for some time and then it was brought-up. i believe this should be cleared-up in 24 hours

second item

Starting test: SystemLog

An error event occurred. EventID: 0x00003006

Time Generated: 01/06/2016 10:23:38

Event String:

The SAM database was unable to lockout the account of <user account> due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

......................... DC02 failed test SystemLog

the link between DC01 (PDC) and DC02 (SDC) is perfect. is there anything of AD settings causing this issue?

How do i troubleshoot further?

Appreciate your replies. Thank you.

How can i stop Trailing dot being added at the end of the computer Full Name?

October 31, 2016, 11:35 am
$
0
0

in some cases joining any device to Local domain will add a trailing dot at the end of the FQDN (Computer full name) , any server application ends with (dot) will have any issue with Exchange server.

application server will have issue sending a notification if the Full name has (dot) , but if the application server full name ends with NO (dot) everything will go OK.

any suggestion !!!!!

Search

How to find out Apple MAC computers into my AD

October 31, 2016, 9:02 am
$
0
0

Hello there and happy Monday.

Do you know a command line that I can use in PowerShell that will give me the list of all my computers that are Apple? I know I can go computer by computer and right click and will give the tab with Operating System -> Name: Mac OS X -> Version 10.11 etc., but there are too many to do one by one.  I have PC and Apple into my Computer Container.  I only need to know how many machines are Apple.

Thank you so much in advance for your help

Have a nice day

what log to check for account moevments?

October 31, 2016, 12:07 am
$
0
0

Hi,

I can check for logs like login's, system logs, etc but was wondering, what log do I check if one of the staff in our IT dept has made changes in a specific account like i.e

An old user has been disabled for a long time then we found out that it has been enabled by one of the admin's.

Thanks

Jeff

Forcing a specific DC for trust relationship purposes but without limiting the ability to lookup other zone records ?

May 23, 2012, 9:15 am
$
0
0

We have a specific requirement to configure a trust relationship between domain A and domain B but domain A can only reach a small  number of DCs in domain B due to the network configuration. 

This would usually be quite a simple process of taking a copy of the AD integrated zone in domain B making it primary in domain A and stripping it down to listing only the DCs which are reachable and thereby controlling which DCs are contacted for both the initial trust creation and the renewing of the trust secret.

However in this scenario domain A needs to be able to have full access to domain B's AD integrated zone to be able to resolve some other A records which may on occasion change.

Any input on best approach to achieve this i.e. forcing domain A to only use the domain B domain controllers which are accessible but not restricting access to the rest of the zone information for A records and not impacting production DNS behaviour in domain B ?

Error with ADAMSYNC syncing users from AD into LDS

August 11, 2015, 8:51 pm
$
0
0

Good Afternoon

I am trying to bring user accounts from two domains into a single LDS instance for use with Cisco CUCM user authentication. Using ADAMsync, I have managed to sync the users from domain1, however when modifying the XML file and running the sync for domain2 i get the following error in the log and no user accounts are imported.

An internal error occurred: DnManip::DnManip.

I am wondering if anybody has come accross this issue in there travels.

Thankyou
Robert

Note: The XML file and the error have been included below.

<?xml version="1.0"?><doc><configuration><description>### Sync</description><security-mode>object</security-mode><source-ad-name>###.local</source-ad-name><source-ad-partition>dc=###,dc=local</source-ad-partition><source-ad-account></source-ad-account><account-domain></account-domain><target-dn>dc=multiforest,dc=com</target-dn><query><base-dn>"OU=testou,DC=###,DC=local"</base-dn><object-filter>
(&#124;(&amp;(objectClass=user)(objectCategory=person))
(&amp;(objectClass=user)(isDeleted=TRUE)))</object-filter><attributes><include>objectSID</include><include>mail</include><include>userPrincipalName</include><include>middleName</include><include>manager</include><include>givenName</include><include>sn</include><include>department</include><include>telephoneNumber</include><include>title</include><include>homephone</include><include>mobile</include><include>pager</include><include>msDS-UserAccountDisabled</include><include>samAccountName</include><include>employeeNumber</include><exclude></exclude></attributes></query><user-proxy><source-object-class>user</source-object-class><target-object-class>userProxy</target-object-class></user-proxy><schedule><aging><frequency>0</frequency><num-objects>0</num-objects></aging><schtasks-cmd></schtasks-cmd></schedule></configuration><synchronizer-state><dirsync-cookie></dirsync-cookie><status></status><authoritative-adam-instance></authoritative-adam-instance><configuration-file-guid></configuration-file-guid><last-sync-attempt-time></last-sync-attempt-time><last-sync-success-time></last-sync-success-time><last-sync-error-time></last-sync-error-time><last-sync-error-string></last-sync-error-string><consecutive-sync-failures></consecutive-sync-failures><user-credentials></user-credentials><runs-since-last-object-update></runs-since-last-object-update><runs-since-last-full-sync></runs-since-last-full-sync></synchronizer-state></doc>

Adamsync.exe v1.0 (6)

Establishing connection to target server localhost:50000.

Saving Configuration File on DC=MULTIFOREST,DC=COM

Saved configuration file.

ADAMSync is querying for a writeable replica of #######.

Establishing connection to source server ######.local:389.

Using file .\dam383A.tmp as a store for deferred dn-references.

Populating the schema cache

Populating the well known objects cache

Starting synchronization run from dc=#####,dc=local.

Starting DirSync Search with object mode security.



Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0

An internal error occurred: DnManip::DnManip.

An internal error occurred: DnManip::DnManip.

Saving Configuration File on DC=MULTIFOREST,DC=COM

Saved configuration file.



Unable to sync users from AD to LDS with adamsync

November 1, 2016, 7:50 am
$
0
0

Hi Guys,

I'm trying to sync users from AD to AD LDS instance created on a member server.

I get this as a result in the log file specified  during the Adamsync /sync command:

***************************************************************

Adamsync.exe v1.0 (6)

Establishing connection to target server localhost:389.

Saving Configuration File on DC=ExtranetPartition,DC=test-adlds,DC=***

Saved configuration file.

ADAMSync is querying for a writeable replica of dc.test-adlds.***.

Error: DCLocator call failed with error 1355. Attempting to bind directly to string.

Establishing connection to source server dc.test-adlds.***:389.

Using file .\dam4269.tmp as a store for deferred dn-references.

Populating the schema cache

Populating the well known objects cache

Starting synchronization run from DC=test-adlds,DC=***.

Starting DirSync Search with object mode security.



Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0

An internal error occurred: DnManip::DnManip.

An internal error occurred: DnManip::DnManip.

Saving Configuration File on DC=ExtranetPartition,DC=test-adlds,DC=***

Saved configuration file.

***************************************************************.

The  MS-ADAMSyncConf.xml file :

<configuration>        
  <description>sample Adamsync configuration file</description>        
  <security-mode>object</security-mode>            
  <source-ad-name>dc.test-adlds.***</source-ad-name>        
  <source-ad-partition>DC=test-adlds,DC=***</source-ad-partition>
  <source-ad-account></source-ad-account>                
  <account-domain></account-domain>
  <target-dn>DC=ExtranetPartition,DC=test-adlds,DC=***</target-dn>        
  <query>            
    <base-dn>"OU=Test OU,DC=test-adlds,DC=***"</base-dn>
    <object-filter>(objectclass=User)</object-filter>            
    <attributes>                
        <include>givenName</include>
    </attributes>   

 <user-proxy>
    <source-object-class>user</source-object-class>
    <target-object-class>userProxy</target-object-class>
 </user-proxy

***************************************************************

Any Help would be appreciated

Ivo

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>