Hello

I want to know what kind of solution can give me a light in the need of a customer.

Customer has 5 active directory servers in different locations and forests.

He wants to have one server who handle all auth requests and query server by server (from the 5 servers mentioned above) 

the main idea is to configure one .net application to ask for auth only in one server (the frontend)

Thank you!

CJ

Hello,

When we manually try to replicate we get 'the target principal name is incorrect".

I see there are these errors in event viewer - Event ID 4

Kerberos error KRB_AP_ERR_MODIFIED

I also noticed the Operations Master Shows Error on the same server.

They can only see our other server (pdc) in our main office if they use its ip address.

Not sure what happened here. No one touches that server. Any help would be greatly appreciated.

Thanks in advance

Hi Team,

How to pull list of Admin Account from AD to check if the users are active are disabled , also inactive admin accounts.

Please let me know.

Paramesh KA

Hi

Sorry for putting this question in maybe wrong forum.

I've installed AD Connect tool and synchronized our AD objects to Azure.

I later found out that I should have picked a specific OU, because it's better to not synk unnecessary users.

I've tried to change to an empty OU and synk, but all users are still in Office365 and Azure.

How to remove AD synchronized users and groups from Office 365?

Hi,

I have an issue with a Domain Rename that we attempted on our production environment. We are changing the netBIOS Domain Name so we can create a trust between 2 domains that had/have identical netBIOS Domain Names.

we have 5 DC's (all windows server 2003, 3 are R2, 2 are 2003)

after running all steps in the rendom tool, i ran rendom/execute, which forced all except one Domain Controller from rebooting and accepting the Domain Name Change. The /prepare command stated that all server were ready for the change.

After the reboot, on our Main Domain Controller, and the one that didn't reboot and accept the Domain Name Change, we are getting the following issue:

*************************

Event Type: Warning
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1876
Date:  22/08/2009
Time:  9:56:10 AM
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: ALSCO-PYM
Description:
The local domain controller cannot replicate with the following remote domain controller because of a mismatched replication epoch (msDS-ReplicationEpoch). This typically occurs as part of the domain rename process.
 
Remote domain controller:
b75c2e05-35bc-4424-9f1b-a98098251b27._msdcs.alsco.com.au
Remote domain controller replication epoch:
0
Local domain controller replication epoch:
1
 
Domain controllers undergoing a domain rename are not allowed to communicate with those domain controllers that have not yet undergone the domain rename. When all domain controllers have completed the domain rename, replication will once again be allowed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*******************
After trying to run the execute command again, it states that the 4 servers that were sucessful had already been updated, and we get the following error on the one that hasn't:
*************

A domain rename operation is already in progress. The current operation must end
 before a new one can begin.: The server is unwilling to process the request. :8245

****************
Upon trying to /end and /prepare and /execute we get the same error.

It appears to be that the non-updated is basically waiting for the info to get replicated across to it, but it won't accept or replicate any changes because the epochs of the AD DBs on each server/s are out of sync.

******************

We tested the same scenario in a test environment and the only issues we had were the inital bind of the DC's, but once that was resolved, the domain rename worked perfectly.

I cannot seem to find any information online about how to go about resolving this kind of issue, if anyone has any pointers on how to resolve it would be greatly appreciated.

Thanks in Advance.

Simon Anderson

Hi MS server Team

Please help me

I have one file server which is Microsoft Windows Server 2008 R2 Standard Edition and 2 Active Directory which is Microsoft Windows Server 2012 R2 implemented by Primary AD and Secondary AD.

File Server 2008 R2 is Member of Active directory then I would like to give users permission on shared folder on such as example

mmm Folder>Properties>Security>Add>Advance (to set user name) but it's show as following ;

The advanced page cannot be opened because of following error; the server is not operational

Hello 

Iam making a powershell script to create a local user and give him all dial in permissions and everything was successfully done all i want to do is how to Assign Static IP to local user in dial in with Powershell i didn't seem to find a command to assign ip for every user

Thanks in Advance

i am doing AD migartion from ABC.com to XYZ.com

I need to create XYZ.com secondary zone in ABC.com 

but already there is a zone with the XYZ.com available with some exchanage entries. how to create Secondary zone of XYZ.com in ABC.com.

Regards,

Raju

Hi,

I have demote one RODC and i have remove all roles of it but still it is showing in our AD. By default when we remove roles it should be out of domain. Can u explain anything. I have done demote using DCPROMO command 

Sugandh

We have seen that MS will be moving away from supporting the cloud-synch products Windows Azure Active Directory Sync ("DirSync") and Azure Active Directory Sync ("Azure AD Sync") in favour of Azure Active Directory Connect.

Has there been any official announcement regarding the LDAP control also called DirSync?  My assumption is that it will continue to be a feature of future server products, because--you know, angry mob--but that is just my assumption.

Perhaps my search mojo is failing me but I cannot find an official clarification.  Have any of you seen or heard anything?

Many thanks in advance.

People,

Can anyone here please share the steps to fix this issue where the Repadmin result is showing error fromPRODDC01-VM 192.168.1.200 into PRODDC02-VM192.168.1.201 ?

and also I cannot manage the PRODDC02-VM DNS from locally or fromPRODDC01-VM.

Here is some additional information:

PRODDC01-VM DCDIAG:

PS C:\> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = PRODDC01-VM
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SYDNEY\PRODDC01-VM
      Starting test: Connectivity
         ......................... PRODDC01-VM passed test Connectivity

Doing primary tests

   Testing server: SYDNEY\PRODDC01-VM
      Starting test: Advertising
         ......................... PRODDC01-VM passed test Advertising
      Starting test: FrsEvent
         ......................... PRODDC01-VM passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.
         ......................... PRODDC01-VM failed test DFSREvent
      Starting test: SysVolCheck
         ......................... PRODDC01-VM passed test SysVolCheck
      Starting test: KccEvent
         ......................... PRODDC01-VM passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... PRODDC01-VM passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... PRODDC01-VM passed test MachineAccount
      Starting test: NCSecDesc
         ......................... PRODDC01-VM passed test NCSecDesc
      Starting test: NetLogons
         ......................... PRODDC01-VM passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... PRODDC01-VM passed test ObjectsReplicated
      Starting test: Replications
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PRODDC02-VM
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         ......................... PRODDC01-VM passed test Replications
      Starting test: RidManager
         ......................... PRODDC01-VM passed test RidManager
      Starting test: Services
         ......................... PRODDC01-VM passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 11/17/2016   20:44:40
            Event String:
            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
omputer, you may choose to disable the NtpClient.
         A warning event occurred.  EventID: 0x000727AA
            Time Generated: 11/17/2016   20:44:45
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/PRODDC01-VM.KTM.COM; WSMAN/PRODDC01-VM.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/17/2016   20:44:57
            Event String:
            Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x0000168D
            Time Generated: 11/17/2016   20:45:31
            Event String:
            The following DNS server that is authoritative for the DNS domain controller locator records of this domain controller does not support dynamic DNS updates:
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/17/2016   20:45:31
            Event String:
            Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/17/2016   20:46:02
            Event String:
            Name resolution for the name KTM.COM timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 11/17/2016   20:54:40
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         ......................... PRODDC01-VM passed test SystemLog
      Starting test: VerifyReferences
         ......................... PRODDC01-VM passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : KTM
      Starting test: CheckSDRefDom
         ......................... KTM passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... KTM passed test CrossRefValidation

   Running enterprise tests on : KTM.COM
      Starting test: LocatorCheck
         ......................... KTM.COM passed test LocatorCheck
      Starting test: Intersite
         ......................... KTM.COM passed test Intersite
PS C:\>

PRODDC02-VM DCDIAG:

PS C:\Users\Administrator.KTM> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = PRODDC02-VM
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SYDNEY\PRODDC02-VM
      Starting test: Connectivity
         The host 94ddd95e-a625-4e14-987d-fca5ab9fdf59._msdcs.KTM.COM could not be resolved to an IP address. Check the
         DNS server, DHCP, server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... PRODDC02-VM failed test Connectivity

Doing primary tests

   Testing server: SYDNEY\PRODDC02-VM
      Skipping all tests, because server PRODDC02-VM is not responding to directory service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : KTM
      Starting test: CheckSDRefDom
         ......................... KTM passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... KTM passed test CrossRefValidation

   Running enterprise tests on : KTM.COM
      Starting test: LocatorCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... KTM.COM failed test LocatorCheck
      Starting test: Intersite
         ......................... KTM.COM passed test Intersite
PS C:\Users\Administrator.KTM>

From the below screenshot, you can see that the AD object created from PRODDC02-VM 192.168.1.201 is replicated successfully in PRODDC01-VM 192.168.1.200

Any help would be greatly appreciated.

Thanks.

/* Server Support Specialist */

hello guys,

for some reasons the management would like to delegate reset password permission for the Help Desk Dep. but the user must change next login check box it must be forced and the check box gray out (dimmed), make all of delegated users not able to uncheck that box, is that possible or not, if possible how can i do this delegation with that condition. 

Mohamed Soliman System Administrator +971552997724

When I ran the repadmin /showrepl getting the below Error, can anyoone help me to troubleshoot the issue

Source: XXX\XXXXXXX111
******* 42446 CONSECUTIVE FAILURES since 2016-11-12 16:36:19
Last error: 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.

We have rebooted the server and checked still issue persisit

Hi friends

Will try to explain the situation to the best of my knowledge.

Client: Comercial Bank

Users: 3000+

Domain Controllers (5) due to 3 Sites (Primary/Secondary and DR)

Infrastructure 95% Virtualized with exceptions: 1 Physical DC / Backup Server and 4 other servers related to Core Bank Apps

Hypervisor: ESXI 5.5

OS: Windows 2008 R2 and 2012 R2

1 DC is a Windows 2012 R2 all others are Windows 2008 R2.

The Windows 2012 R2 is the FSMO Roles Holder and it is a Physical Server

If you need more info please ask.

The subject:

4 Custom Attributes where created in 2013, these atributes correspond to Date of Admission / Date of Birth / Date of Dismiss / Date of Transfer and a Boolean atribute to show weather the user is at the HQ or not.

When These atributes where created they populated the new user accounts and also appeared on the accounts already in the system, there are several HR scripts running on an app wich populate these attributes when required.

The problem:

Recently (not sure when) these atributes are not replicating or appearing on a few of the user accounts, and it has reached a level of concern due to HR not been able to report correclty when a employee has been hired for exemple.

I thought this was a Configuration issue at first, ruled that out, then i researched on the replicating the schema and cheked for replication issues, ruled that out as well, created a few new users and none have the custom atributes associated with their accounts, and several other troubleshooting steps.

What i have done so far:

1. Registry key to "allow schema updates"

2. MMC and modify the atribue to contain the option "Replicate this atribute to the Global catalogue"

3. Index this Attribute

4. Force Replication

5. Transfered the Schema Master to a Windows 2008 R2 DC, waited 72 hours, nothing happned transfered back to the Windows 2012 R2.

6. Removed a User with the atributes in question and re-created them, the atribute never re-appeared.

7. Created several new users and the atributes dont appear.

8. Removed the custos atributes from the "USER CLASS" waited a couple of hours and re-added them on the hope of a schema replication would check the change and re-sync the user objects.

not sure what i am missing...

I can see the custom atributes on all 5 DCs, if i amke a change to them i can see the change replicated to other DCs.

I need these atributes to register with the end users so the HR software can populate them properly.

Can someone help me please?

Thanks for your time

Rui

hi

we plan to migrate our root domain/sub domain setup to one central ad forest

we want to use sid history to access shares in the old forest from new forest

atm the shares are configured:

FileShareA:

Domain Admins -> Full Access
System -> Full Access
AD Group with Users -> Change

We did a Test and created a new User in the New Forest and added the SID of a User from Source Forest to the Sidhistory Field...

The Source User is in many AD Groups to Access different Shares in the Source Forest, but the Target Forest User cannot Access these Shares "gets Access Denied"

If we put the Source User direct on a Share without a AD Group the Access works from the Target User using Sid History.

Now the Question is does Sid History works with Ad Groups on Resources? i tryd all Scopes Local,Global,Universal it doesnt matter only when i add the User direct to the Share it works.

thanks

harald

Hi Everyone,

I have requirement where in I need to delegate the permission to group.

For ex: I have group called Testgrp and helpdesk users are the members of the group.

I want help desk users should be able to modify  "Member of" items, like add or remove from the member of list from user properties. However i want to restrict the helpdesk users to not modify group membership like users should not be able to add/remove user/groups to any group.

Kindly Advice

Thanks!!