Hi,
my issue is that i have 20 internal users and approx. 45,000 clients.
My 20 users need to access the server, but, for 45,000 clients they do not need access to the server but, we need to store there login credentials just to do the SSO (Single Sign On). Do we need CAL licenses for the 45,000 users?
Hi,
We have a main office in London, UK. And a remote site in Asia with a read-only domain controller. This RODC is an authorized DHCP server for a scope which is unique to the Asia office.
This past weekend their internet connection went down for 72 hours, from Friday night until Monday night. Shortly after it went down, the RODC started logging Event 1059 "The DHCP service failed to see a directory server for authentication". Unsurprising. It also stopped responding to clients on the network.
This caused havoc with the clients as when they booted up on Monday morning, DHCP was not running so they all received a 169.x.x.x address.
My question is if a RODC could not reach another AD server, how long is it before the DHCP service on RODC stops?
And would having a RWDC in that office overcome this issue?
Thanks in advance.
I'm planning to upgrade my dcs from 2008 r2 to 2012 r2. I added the first 2012 r2 dc to my domain and its working fine.we have a GPO for the NTP server with wmi filter "PDCe filter". now I'm planning to move the FSMO rules to the new dc and shutting down the old master for a day or two before demoting it then proceed with the rest of dcs one by one. is this right?
will there be any effect on the users or services (especially exchange 2016)?
Hello,
in our Environment we have three Domains in one Active Directory Forests. Each Domain has two DCs. In one Domain i want to configure an Webapplication to (ldap) query the global catalog for Informations from another Domain.
For testing purposes i tried to query by simple Linux-Ldapsearches, which works fine most of the time. But there is my Problem. It does not work reliable, because sometimes the ldapsearches take about 1 Minute. These long running Queries seems to be the reason which makes my Webapplication time out.
My assumption is, that these long running queries appear, when the DCs from this Domain replicate (I checked the times with repadmin /showrepl and it looks like there is an coherence.)
Our Windows Guy cant help me out, so i hope somebody here does have experience in this field. Is it ok to use the Global Catalog for this requirement? Why is this happening? Has somebody ideas for further troubleshooting? It would be nice to use the GC, because if this works i do not have to use an LDAP-Proxy for this.
best regards
Stefan
Hi Everyone,
I have requirement where in I need to delegate the permission to group.
For ex: I have group called Testgrp and helpdesk users are the members of the group.
I want help desk users should be able to modify "Member of" items, like add or remove from the member of list from user properties. However i want to restrict the helpdesk users to not modify group membership like users should not be able to add/remove user/groups to any group.
Kindly Advice
Thanks!!
Hi All,
Not sure if this is even the right place to ask this but I shall give it a go and see what happens. - Also I don't know if what I am asking is even possible.
As part of a user migration project I am moving users from Forest A to a Child Domain in Forest B. A 2 way transitive forest trust has been configured between forest A & B. New accounts have been created, SIDhistory is being used for file access and users are able to login to the Forest A Workstation using their Child Domain of Forest B username and password.
However when a user forgets their password and rings the helpdesk the service desk are setting the user must reset password at next login option on the user object in AD (nothing wrong with this). When the user attempts to login to the computer on Forest A using their Child Domain of Forest B username and the password given to them by the service desk an error is given and the login fails.
Removing the tick on the AD object for the user for change password at next login and asking the users to reset their passwords using the Alt Ctrl & Del then selecting change password works as expected no problem.
Should this be working as expected in that the user should be able to change their password or is what I am seeing correct and users cant change their passwords at first login using a trusted forests computer objects?
Thanks in advance!
Hello
I have two datacenter (1 DC, 1 DR) , current I have two server for root domain and two server child domain IN DC site , now I want install one root and one child DC in DR site , Current in active directory only one site (default first site) ,
- So if install in DR site I need must divide site ?
- and DC site and DR site I can use same subnet for AD server ?
Thanks
Hello,
If I have multiple domain, one deployed with ADRMS (lets say "itfellas.rdms" and one which dont (lets say "itfellas.local" where my users are located), both domains have users equivalent to each other. Now I would want to sync a number of users from the itfellas.local to the itfellas.rdms domain, kinda like how the DirSync works in your local AD environment and Azure.
Is there such a tool in MS that would allow me to do that?
The point is, I would like to deploy some several services in my laboratory and I want the domain to be the boundary between the actual users use to login to the domain, and a separate domain to deploy the services, like RDMS, ADCS, and etc, but I want them to have a synced information (including Passwords) between domain so that there is only one point of entry for user information change.
For God, and Country.
Hi All,
I am not sure what kind of permissions required to work on RSAT.
Today just for testing purpose installed RSAT tool on one of the windows 8.1 laptop and logged in with normal domain user and accessed the RSAT and tried adding users to Group , creating new user in AD and it allowed me to do the changes and create new user.
I am shocked on seeing this behavior.
can some one help me understanding on what kind of permissions required to work with RSAT.
I was under impression that only Domain Administrator can make the changes in AD.
Regards
-Atul
TheAtulA
We have several Windows 2012 R2 servers that system reserved partition(350MB) is automatically
mounted to c:\foldername. mounvol shows the mountpoint. removed mounted volume and even the directory in drive c:
made mountvol /N. After 5 min, the mounted volume came back again.
Is there a way to find out which app automatically mount system reserved partition? how can we disable it?
Thank you!
i am doing AD migartion from ABC.com to XYZ.com
I need to create XYZ.com secondary zone in ABC.com
but already there is a zone with the XYZ.com available with some exchanage entries. how to create Secondary zone of XYZ.com in ABC.com.
Regards,
Raju
Hi all
and the only changed attribute was password last set for a valid user account.
what I can't understand how ANONYMOUS is doing this change???
all our DC's running windows 2012 r2 with windows server 2008 function level.
We have 20,170,1000 machine in 3 domains, we have to do plan for computer migration. what would be the break up plan.
How many machine we can migrate approximately per day. so that i can make a plan accordingly.
Hello, I have a .cer file and want to map it to a user account in AD using PowerShell. I tried with this command :
Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}
But does not put the certificate in the mappings, it puts it in the Public Certificates
Thanks for any help.
For our domain controllers (4 x 2008 R2), we have an account lockout policy:
- Duration: 30 min
- Threshold: 20 attempts
- Reset: after 30 min
We have two views in the event viewer:
- One for Event ID 4625 (invalid attempts)
- One for Event ID 4740 (locked)
For one specific user, we occasionally (once every few months) see a lockout (4740), but no preceding invalid login attempts (4625). On any domain controller. For other users, this is not the case, we see preceding invalid login attempts prior to the lockout
event.
Our audit policy should be sufficient:
Logon/Logoff
Logon Failure
Logoff No Auditing
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Regards,
Ruben
Hi guys,
I met a strange issue. When a server joining domain, there shows the following error occurred attempting to join the domain, the specified network name is no longer available.
The domain controller and the client server are all windows 2012 R2 and in different location.
I have tested dns with nslookup and looks fine.
Ports UDP 53 88 138 working, TCP 53 88 389 445 636 working.
UDP 137 can't be connected. But this didn't seem to be the cause.
Any suggestions?
Hello ,
I need details on NANO DNS Server in details...documentation .
Writing a case study on Nano DNS server as alternative of infoblox or bluecat, need some documentation on the NANO DNS server usage.
Regards,
Rohit Singh
When I ran the repadmin /showrepl getting the below Error, can anyoone help me to troubleshoot the issue
Source: XXX\XXXXXXX111
******* 42446 CONSECUTIVE FAILURES since 2016-11-12 16:36:19
Last error: 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
We have rebooted the server and checked still issue persisit