I have around 200 disconnected AD users from their mailboxes. I want to delete these mailbox disconnected AD user Accounts which are older than one year. I checked the Object tab of these disabled/disconnected users in AD and they all show different dates.
Is there a way/script that I can use to export out list of these disabled/disconnected AD users which are disabled for more than a year?
Thanks!
Hi All,
I have 2 seprate forest abc.com and xyz.com
Recently I did create the one way incoming trust from abc.com - xyz.com and outgoing trust from xyz.com - abc.com using the trusts password.
But notice that when I try to give permission to one of the folder of xyz.com domain by selecting abc.com domain, it's prompted me users name and password? Is it the correct way to work after creating the one way trust.
Also passing the username and password for abc.com domain at the prompt but still it's fail with below error.
kalanke
Hi
We are having numerous issues within our 2003 domain with our 2008 terminal servers, we have been advised that this is primarily due to the fact that our Domain controller is running on functional Level Windows 2000 Mixed.
Can anyone confirm that this could cause various issues?
We are unsure and feel this is might be a bit of 'get out of Jail' for our external support company, we have asked them to log a call with Microsoft but they are hesitant to do this.
Thanks
Hello,
We have AD Server running DNS and it is on seperate VLAN.
Clients/Servers can only communicate with DNS on UDP Port 53, we have been seeing DNS registration error in event logs.
Does TCP 53 is required for client hostname registration into DNS through firewall? Or just UDP 53 is sufficient?
Cheers,
Marshal
Hi
I used to be able to sync my ADLDS instance with 2008 ADDS. After I upgrade to 2008 R2 ADDS, I can no longer sync. and received error "An ldap error occured while saving the configuration file: Object Class Violation".
How do I upgrade my ADLDS instance schema to 2008 R2 so that I can snyc between ADLDS instance with 2008 R2 ADDS?
Now I am trying ADmodify.
I would like to modify proxyaddresses,etc.
Is there any good AD management tool for free ?
Hi Guys
After just a domain restructure between
Windows 2003 Forest and Windows Server 2008 Forest which caused both forest become one Active Directory Forest 2008, I am getting continuous account lock outs almost every 1 to 5 minutes for all my domain accounts. After I scan my domain controllers, I figured out one of my domain controllers was infected with conficker as per attached. Once I removed it and scan my active directory, the conficker did not show again in virus scan through Mc Afee virus scan Enterprise, but my users are still getting locked up. I turned on Audit failure event for my domain accounts, and I am receiving huge umber of audit failures. I checked the audit failure event and most of them were related to accounts that were not available and were offline. Perhaps I received more than hundred audit failure events in a second. Could you please assist me sort this issue out. It is driving my crazy. For the time being, I had to remove lock out policy as the company production line as on complete halt due to locked up users. Please helppp. Thanks a lot..
Regards,
Pooriya
Pooriya Aghaalitari
Over the weekend two of our 2008 R2 domain controllers located in the same site went down as a result of a power failure. After the servers came back up, I noticed that the Windows Time Service was no longer a registered service on either server. About a month ago I had to reconfigure the time service on these DCs as a result of a misconfiguration, as discussed here:
I proceeded to register it as a service using w32tm /register and then tried starting the service. That is when I ran into the error message, which is as follows:
C:\>net start w32time
System error 1290 has occurred.
The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the
service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
The event log contained similar info:
Log Name: System
Source: Service Control Manager
Date: 10/10/2011 2:13:46 PM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SADC3.domain.com
Description: Same as above description
I compared the w32time registry settings on the problem DCs with a known good DC, and they are identical.
Any suggestions on how to resolve this?
Thanks.
Hi,
Unfortunately our Active Directory Server down due to the Hard Disk failure. We are going to install new hard disk. We need to bring back the AD in its previous position. At present our backup domain controller is supporting our users. I need to get back AD as early as possible.
The following services are running on it.
1. Backup Exec software 2. Kaspersky Security Centre 3. Firewall software 4. Printer Drivers.
We used to take backup on tape drives daily, weekly and monthly.
Can any one suggest me what is the best way to get back AD without any issues?
Regards,
Ram.
I have an existing Windows Server 2008 Domain Controller, HCC1. Previously there was a backup domain controller, HCC2. The backup domain controller died from hardware issues and was removed from the domain.
I have a new Windows Server 2008 R2 server that I want to make a DC. I tried to run ADPREP /Forestprep on the existing DC and get the following error;
E:\SoftwareandDownloads\support\adprep>adprep /forestprep /nospwarning
Adprep was unable to extend the schema.
[Status/Consequence]
The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least o
ne replication cycle before the schema can be extended.
[User Action]
Verify that the schema master is connected to the network and can communicate with other Active Directory Domain Control
lers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication
partner. After replication has succeeded, run adprep again.
I ran repadmin /showreps
E:\SoftwareandDownloads\support\adprep>repadmin /showreps
Default-First-Site-Name\HCC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: d3821757-d0d2-498b-a7a2-20ebe2db1bf7
DSA invocationID: c9b4fbaa-ae15-4912-8d91-4a4ffe6c7eb5
How do i get past the replication error.
John Turcich NorSoft Consulting
Hi All,
I am not certain if I should post this in the SCCM forums or DS, but the errors are within the NetSetup.log file. I am having a domain join issue when trying to automatically join new computers to my domain via SCCM; existing computers with domain accounts migrate perfectly. The client computers are Win7 SP1 and the domain is 2003. Here is part of the netsetup.log file:
11/01/2012 09:18:48:671 -----------------------------------------------------------------
11/01/2012 09:18:48:671 NetpDoDomainJoin
11/01/2012 09:18:48:671 NetpMachineValidToJoin: 'IMAGING'
11/01/2012 09:18:48:671 OS Version: 6.1
11/01/2012 09:18:48:671 Build number: 7601 (7601.win7sp1_gdr.120830-0333)
11/01/2012 09:18:48:671 ServicePack: Service Pack 1
11/01/2012 09:18:48:733 SKU: Windows 7 Professional
11/01/2012 09:18:48:733 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
11/01/2012 09:18:48:733 NetpGetLsaPrimaryDomain: status: 0x0
11/01/2012 09:18:48:733 NetpMachineValidToJoin: status: 0x0
11/01/2012 09:18:48:733 NetpJoinDomain
11/01/2012 09:18:48:733 Machine: IMAGING
11/01/2012 09:18:48:733 Domain: acumen.net\acumendc2.acumen.net
11/01/2012 09:18:48:733 MachineAccountOU: DC=acumen,DC=net
11/01/2012 09:18:48:733 Account: acumen2\smsadmin
11/01/2012 09:18:48:733 Options: 0x23
11/01/2012 09:18:48:749 NetpLoadParameters: loading registry parameters...
11/01/2012 09:18:48:749 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/01/2012 09:18:48:749 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/01/2012 09:18:48:749 NetpLoadParameters: status: 0x2
11/01/2012 09:18:48:749 NetpValidateName: checking to see if 'acumen.net' is valid as type 3 name
11/01/2012 09:18:48:968 NetpCheckDomainNameIsValid [ Exists ] for 'acumen.net' returned 0x0
11/01/2012 09:18:48:968 NetpValidateName: name 'acumen.net' is valid for type 3
11/01/2012 09:18:49:202 NetpJoinDomain: status of connecting to dc '\\acumendc2.acumen.net': 0x0
11/01/2012 09:18:49:218 NetpJoinDomainOnDs: Passed DC 'acumendc2.acumen.net' verified as DNS name '\\acumendc2.acumen.net'
11/01/2012 09:18:49:218 NetpLoadParameters: loading registry parameters...
11/01/2012 09:18:49:218 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/01/2012 09:18:49:218 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/01/2012 09:18:49:218 NetpLoadParameters: status: 0x2
11/01/2012 09:18:49:218 NetpDsGetDcName: status of verifying DNS A record name resolution for 'acumendc2.acumen.net': 0x0
11/01/2012 09:18:49:218 NetpProvisionComputerAccount:
11/01/2012 09:18:49:218 lpDomain: acumen.net
11/01/2012 09:18:49:218 lpMachineName: IMAGING
11/01/2012 09:18:49:218 lpMachineAccountOU: DC=acumen,DC=net
11/01/2012 09:18:49:218 lpDcName: acumendc2.acumen.net
11/01/2012 09:18:49:218 lpDnsHostName: (NULL)
11/01/2012 09:18:49:218 lpMachinePassword: (null)
11/01/2012 09:18:49:218 lpAccount: acumen2\smsadmin
11/01/2012 09:18:49:218 lpPassword: (non-null)
11/01/2012 09:18:49:218 dwJoinOptions: 0x23
11/01/2012 09:18:49:218 dwOptions: 0x40000003
11/01/2012 09:18:49:280 NetpLdapBind: Verified minimum encryption strength on acumendc2.acumen.net: 0x0
11/01/2012 09:18:49:280 NetpLdapGetLsaPrimaryDomain: reading domain data
11/01/2012 09:18:49:280 NetpGetNCData: Reading NC data
11/01/2012 09:18:49:280 NetpGetDomainData: Lookup domain data for: DC=acumen,DC=net
11/01/2012 09:18:49:280 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=acumen,DC=net
11/01/2012 09:18:49:280 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
11/01/2012 09:18:49:327 NetpGetComputerObjectDn: Cracking DNS domain name acumen.net/ into Netbios on \\acumendc2.acumen.net
11/01/2012 09:18:49:327 NetpGetComputerObjectDn: Crack results: name = ACUMEN2\
11/01/2012 09:18:49:327 NetpGetComputerObjectDn: Cracking account name ACUMEN2\IMAGING$ on \\acumendc2.acumen.net
11/01/2012 09:18:49:327 NetpGetComputerObjectDn: Crack results: Account does not exist
11/01/2012 09:18:49:327 NetpGetComputerObjectDn: Specified path 'DC=acumen,DC=net' is not an OU
11/01/2012 09:18:49:327 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x2
11/01/2012 09:18:49:327 NetpProvisionComputerAccount: LDAP creation failed: 0x2
11/01/2012 09:18:49:327 NetpProvisionComputerAccount: Cannot retry downlevel, specifying OU is not supported
11/01/2012 09:18:49:327 ldap_unbind status: 0x0
11/01/2012 09:18:49:327 NetpJoinDomainOnDs: Function exits with status of: 0x2
11/01/2012 09:18:49:327 NetpJoinDomainOnDs: status of disconnecting from '\\acumendc2.acumen.net': 0x0
11/01/2012 09:18:49:327 NetpDoDomainJoin: status: 0x2
This join attempt I did not specify an OU, but have tried multiple OU's and still get the same error message. Has anyone ran into this problem before?
Looking for (what I hope is) a quick clarification after reading through the following documentation:
http://support.microsoft.com/kb/233256
http://support.microsoft.com/kb/233256
http://www.microsoft.com/en-us/download/details.aspx?id=16797
It appears that the default filtering exemption for Kerberos doesn't exist past Windows 2000, so I assume by default if you create an Any/Any rule Kerberos (port 88) is now included. Now if you are looking to use Kerberos for authentication and the traffic is routing through a firewall, are the following ports all that would need to be opened?
- 50, 51 (possibly), and 500 (UDP)
In other words, are you able to use Kerberos for authentication on IPSec through a firewall assuming that you are looking to use Any/Any for the specified endpoints? The endpoints in this example would be two domain controllers in the same domain/forest.
Any insight would be appreciated as some of the documentation available seems to be a bit older.
Thanks!
How to create new active directory sites ?
I have 1 DC & 1 Ex2003 on A site "LONDON". Now I am planning to create a another site "Manchester" with 1 DC & 1 Ex2003 server.
London site IP subnet is 192.168.9.0
Manchester site IP subnet is 192.168.11.0
this I am doing on test enviroment to ping each other i am using Bridge Network . given alternate IPs to each network
I'm setting up Active Directory Domain Services on Windows Server 2012 Standard and I'm receiving the following errors:
"Specified paths are invalid. Verification of directory paths failed. The folder C:\Windows\NTDS does not refer to a valid hard disk. Select a folder on a hard disk drive"
"Specified paths are invalid. Verification of directory paths failed. The folder C:\Windows\SYSVOL does not refer to a valid hard disk. Select a folder on a hard disk drive"
I have searched on Bing and Google, and have visited many forums and have not found a solution to this. There was a forum in TechNet with same problem, mentioning about installing a hotfix to fix this issue. (hotfix 299451) however the hotfix # mentioned on the post is incorrect.
So please, if someone has this solution. Let me know. Thanks in advance.
My domain is currently running a mix of versions of windows. I have clients running xp, windows 7, and windows 8, I have domain controllers that are server 2003R2 and server 2008R2 and an exchange 2010 deployment. My domain is currently running in the 2003 functional level due to the 2003 server. Will I run into any problems adding a 2012 domain controller? Has anyone one else done this?
I have one small office network without internet connection. I have one PDC and one ADC. Operating system is Windows Server 2003. Now my PDC has to be formatted due to some OS problem. Now my questions are
1)Whether I can make my additional domain controler as a primary domain controller?
2)what will be the proceedure to remove PDC from the system and how it can be taken into line again?
Regards,
Pradhan
I have an old 2000 domain I need to upgrade. The BDC is functional and people are authenticating against that but PDC is totally dead and no backup exists. Running a dcdiag /v shows the dead DC was the Schema Owner and RID Master and I am told the server holding the PDC role is down (which I know). I assume I need to correct all of these errors before I attempt the upgrade? What's the best plan of attack?
Thanks!
I've read many post about this issue but can't get the issue resolved on my network. Or maybe can't get my head around the advice offered to apply it to my situation.
Network detail, the issues and steps taken are listed below, but my question is - could having left a server with DNS server role after dcpromoing it down from DC cause a problem? On that old server, if I look at my domain in the DNS forward lookup zone it appears as a secondary domain type while one the 2 DCs the same domain shows as active-directory-integrated-primary. Should I remove the DNS services from the old demoted DC? or change the zone on that server to ad integrated instead of secondary?
So, the details:
Existing 2003 domain, simple network, single domain name. Two existing 2003r2 DCs
Needed to P2V one of the existing Server 2003r2 standard Domain controller onto a new VMware server so it was dcpromoed down, though it was left as a DNS server. The other DC was left physical and held all the FSMO roles and GC, is a DNS, DHCP and WINS server.
Rather than promoting that server back up, I added a 2008r2 Enterprise server VM, ran adprep /forestprep, /domainprep and /gpprep which all appeared to succeed. Ran dcpromo, but I did not install the DNS service at the time for some reason I don't recall, though I did add it after dcpromo finished successfully. Transferred the FSMO roles to the new 2008r2 DC.
I ran into a couple issues right off the bat - first the _msdcs.domain.com zone was not added automatically which I thought was supposed to happen. I eventually added it manually.
Second, the DC will not register an SRV record. I can ipconfig /flushdns, registerdns, net stop and start dns and netlogon, etc. until I'm blue in the face and it never registers an SRV record based on the BPA. All I get is a couple 4010 events in the DNS event log. But if I look in the DNS console I see the _ldap record for it.
dcdiag run on the 2008r2 DC only shows an expected error since I haven't run /rodcprep yet. Run on the remaining 2003r2 DC shows no errors.
dcdiag /test:dns run on the 2008r2 DC shows the SRV record not registed on either DC.
Error:
Missing SRV record at DNS server 10.x.x.x:
_ldap._tcp.cc879c85-da3e-436f-91f9-0d412833d320.domains._ms
dcdiag /test:dns run on the remaining 2003r2 DC shows no errors.
I went through the netdsutil cleanup steps to make sure there was nothing left behind from the old demoted DC and everything looks clean already. No traces of the old DC left behind.
For the most part the network seems to be up and running, but I'm afraid to reboot the 2003r2 DC if I need to at some point until I get this straightened out.
Manning
Having upgraded to Windows Server 2012 I would like to trash the AD and take users and their passwords across to a new domain. The main reason for this is that the AD still has a load of hacks in it from Exchange 2007 to segregate address books. I want to tidy things up ready for Exchange 2013 so I'm building a new domain.
To get the passwords across I need to run PES on the old domain with a key generated on the new domain. ADMT 3.2 will not support this.
So my question is when is ADMT 3.3 (guessing) and PSE for Win2012 going too be released?
Hi Guyz,
I am facing a very strange issue here.
In My 2003 domain environment, many service accounts and IT spocs are part of the domain admin group.
And domain admins are member of "Builtin - administrators" group. The issues is administrators group is automatically getting removed for domain admins from the member of...
Please help, how to track this, and to find y its getting removed........
Regards, DR