Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

KCC - Sites Connections

November 6, 2016, 6:21 am
$
0
0

Hey Everyone;

There is 5 AD Site on my network. One site is my main office site and and is 4 Branch office site ,each site has 2 Additionel Domain contoreller. (physically they are sperated locations)

1- When i check under dssite connection for replication some site has not connection with main office site they have site connection just each others not with mail office DC (PDC) because of that they cant replica with main site.

i run repadmin /kcc site:Branchoffice1 command to recreate site connections but again it just create connection with each other.

should i create manuel site connection with main office DC ? why KCC dosent create connection with main office ? 

2 - is there are way to say KCC : dont create connection with X DC ? because i will demote it soon.

Thank you.

Search

To migrate Active Directory from Windows 2003 to Windows 2016

November 10, 2016, 12:48 am
$
0
0

Team,

AD in my Organization is running on Windows 2003.

Please let me know if we can directly upgrade from Windows 2003 to Windows 2016 OR do i have to follow any upgrade path.

Thanks in advance.


When joining domain, there says the specified network name is no longer available

November 24, 2016, 10:26 pm
$
0
0

Hi guys,


I met a strange issue. When a server joining domain, there shows the following error occurred attempting to join the domain, the specified network name is no longer available.


The domain controller and the client server are all windows 2012 R2 and in different location.

I have tested dns with nslookup and looks fine.

Ports UDP 53 88 138 working, TCP 53 88 389 445 636 working.

UDP 137 can't be connected. But this didn't seem to be the cause.


Any suggestions?

Thanks in advance.

Impact of local user profile after computer migration

November 24, 2016, 10:56 pm
$
0
0

Hello Team,

Is there any impact for local user profile after COmputer migration from ADMT.  

Active Directory Backups

November 25, 2016, 3:10 am
$
0
0

Hi

When Im backing up my domain controllers, is the system state all i need to be backing up or shoud l I backup up other folder like say documents and settings.Is the system state all that is required to get my DC's backup and running in a restore scenario.

Thanks

 

Reset password at next login not working for users, when using a computer from a Trusted Forest

November 23, 2016, 10:12 am
$
0
0

Hi All,

Not sure if this is even the right place to ask this but I shall give it a go and see what happens. - Also I don't know if what I am asking is even possible.

As part of a user migration project I am moving users from Forest A to a Child Domain in Forest B. A 2 way transitive forest trust has been configured between forest A & B. New accounts have been created, SIDhistory is being used for file access and users are able to login to the Forest A Workstation using their Child Domain of Forest B username and password.

However when a user forgets their password and rings the helpdesk the service desk are setting the user must reset password at next login option on the user object in AD (nothing wrong with this). When the user attempts to login to the computer on Forest A using their Child Domain of Forest B username and the password given to them by the service desk an error is given and the login fails. (error message from the workstation is "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you")

Removing the tick on the AD object for the user for change password at next login and asking the users to reset their passwords using the Alt Ctrl & Del then selecting change password works as expected no problem.

Should this be working as expected in that the user should be able to change their password or is what I am seeing correct and users cant change their passwords at first login using a trusted forests computer objects?

Thanks in advance!



Physical to virtual conversion on domain contoller

November 21, 2016, 11:13 pm
$
0
0

Whether it is recomended to do P to v conversion for domain contoller.

Scenario : i have FSMO role in diffrent server i need to migrate one physical server to VM.  after conversion what precaution i need to take. 

Server 2012 R2 Domain Controller stops accepting log in

November 22, 2016, 1:22 am
$
0
0

I am having a strange random issue with the main domain controller not accepting log in from workstations and the DNS stops resolving, but after a reboot everything works again. This mainly occurs after a windows update as been applied.

Any ideas what would cause the domain controller to stop authenticating users?

Search

AD Certificate Services delegated install of enrollment web service

November 28, 2016, 1:25 pm
$
0
0

Working to stand up an internal AD CS environment and running into trouble with the Enrollment Web Service on a separate machine from the CA. Followed the delegation info at Delegated Installation for an Enterprise Certification Authority and successfully installed and configured the CA without requiring domain/enterprise admin rights. Now I'm attempting to install the enrollment web service and running into access denied errors. Docs don't mention delegated install for this and keep referring to domain admin rights being required. FWIW, this is what I'm attempting to run:

Install-AdcsEnrollmentWebService -AuthenticationType Kerberos -CAConfig 'subca.domain.tld\CA-NAME' -SSLCertThumbprint '<thumbprint>' -Verbose -WhatIf

And it's throwing:

VERBOSE: Checking whether the registry key for CES exists.
VERBOSE: Calling InitializeInstallDefaults method on the setup object.
Install-AdcsEnrollmentWebService : CCertificateEnrollmentServerSetup::InitializeInstallDefaults: Access is denied.
0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
At line:1 char:1+ Install-AdcsEnrollmentWebService -AuthenticationType Kerberos -CAConf ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Install-AdcsEnrollmentWebService], UnauthorizedAccessException+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.CertificateServices.Deployment.Commands.CES
   .InstallAdcsEnrollmentWebService

Can anyone confirm whether the enrollment web service can be installed by a delegated admin? Suggestions appreciated.

AD LDS search bug on Windows Server 2012

November 25, 2016, 6:47 am
$
0
0

Steps to reproduce:

  1. Install an AD LDS instance on Windows Server 2012.
  2. Create a partition, e.g. CN=MyPartition.
  3. Install one of the following updates: KB3156416 orKB3160352.
  4. Create20 containers in the root of your partition.
  5. Run the following PowerShell script:
$port = 389
$computerName = "computer.domain.com"

$strFilter = "(&(objectCategory=Container)(|(showInAdvancedViewOnly=FALSE)(showInAdvancedViewOnly=TRUE)))"

$searchRoot = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$computerName`:$port/CN=MyPartition"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $searchRoot
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

try
{
    $results = $objSearcher.FindAll()

    foreach ($objResult in $results)
    {
        $objResult.Path
    }
}
finally
{
    if ($objSearcher) { $objSearcher.Dispose() }
}

RESULT: None, i.e. the search will not return any results (though it should). Also, you will get the following exception:

System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred.

If there are less than 20 containers or if you specify a page size for theDirectorySearcher interface, the script will return your containers.

Uninstalling KBs mentioned on step 3 will fix the issue. Also, the same KBsdo not cause the  issue on other operating systems (we've checked on Windows Server 2012r2, 2008r2, 7, 8, 8.1 and 10).




Account lock issue

November 29, 2016, 2:45 am
$
0
0

Hi, Last week we have transferred FSMO roles from (Win 2008 STD) Primary domain to backup domain and users were able to authenticate properly. But since 2-3 days we are facing issue like users getting error of account locked out while logging in into the system. If we check account status in Active directory, it is showing status unlocked. Then after rebooting of user's system able to login the user.

Please guide.

How to design and configure Active directory in DR site

November 23, 2016, 6:07 am
$
0
0

Hello

         I have two datacenter (1 DC, 1 DR) , current I have two server for root domain and two server child domain IN DC site , now I want install one root and one child DC in DR site , Current in active directory only one site (default first site) ,

- So if install in DR site I need must divide site ?

- and DC site and DR site I can use same subnet for AD server ?

Thanks

           


Unable to access Domain contoller from Diffrent forest

November 29, 2016, 4:46 am
$
0
0

Dear Team,

i am unable to access Domain contoller of diffrent forest with FQDN same is wokring fine through IP. 

i am getting the system detected possible attempt to compremise security. please ensure that you can contact the server that you authenticate.

i have added my login to member of administrator group of other domain. still same issue

i am able to access domain controller with FQDN from Diffrent forest domain contoller but not from its member server. 

how it working from domain controller not from member server.


Active Directory Sycn Tool

November 18, 2016, 1:59 pm
$
0
0

Hello,

If I have multiple domain, one deployed with ADRMS (lets say "itfellas.rdms" and one which dont (lets say "itfellas.local" where my users are located), both domains have users equivalent to each other. Now I would want to sync a number of users from the itfellas.local to the itfellas.rdms domain, kinda like how the DirSync works in your local AD environment and Azure.

Is there such a tool in MS that would allow me to do that?

The point is, I would like to deploy some several services in my laboratory and I want the domain to be the boundary between the actual users use to login to the domain, and a separate domain to deploy the services, like RDMS, ADCS, and etc, but I want them to have a synced information (including Passwords) between domain so that there is only one point of entry for user information change.

For God, and Country.

Can we prevent Computer Objects with a particular OS from joining an Active Directory domain?

November 29, 2016, 10:17 am
$
0
0

Hi,

Is there a method whereby we could prevent a Computer Object with a particular OS, say 'Mac OS X' or 'Windows XP Professional' from joining an Active Directory domain?  The intention is to support our Security/Governance practice.

Thanks for your help! SdeDot

Search

Non-functioning domain controller following ip address change

March 11, 2014, 5:52 am
$
0
0

Hi,

Our Environment is as follows:

4 x Windows Server 2008 DCs. 2 are located in the HQ and 1 each in remote sites.

I recently introduced a new DC in our HQ - Server 2012 DC - this DC is a Hyper-V VM. This VM will be replacing one of the other DCs in our HQ on which there are hardware issues (but the DC is up and running).

As we have some applications that refer to DC by ip address I changed the ip address of the new DC to match the ip of the DC we will be decommissiong.

After I changed the static ip address of the Server 2008 DC in our HQ (so that I could give the Server 2012 VM its ip) - some strange things are happening. I cannot browse from this DC to any other server using\\servername. Also, I tried to run dcpromo to demote this DC but get the following error:

"The operation failed because: Managing the network session with SERVER2012DCVM failed. "This network connection does not exist""

Basically, there appear to be networking issues on the DC I am trying to demote. I would not like to forcefully demote this server just yet.

Any help much appreciated.

AD 2008 R2 Forest recovery

August 18, 2014, 11:49 pm
$
0
0
I have a single domain, single forest architecture. AD is  - Win2008 R2, 2 sites, 2 DCs in each sites. I have a full backup of system state take from all DCs in place.

AD database got corrupted totally and, and I want to rebuild by AD from scratch from system state backup. I want to know about the  process of full AD recovery and recover all DCs.


Site to site replication

November 28, 2016, 5:52 am
$
0
0

Hi, 

we have 4 domain controllers - all are in different locations and in separate ad sites. How can I speed replication times between the domains because once the user is locked out we are having to look for the domain controller they are locked out on and then unlock them on that domain controller because the other DC's aren't aware of the lock out yet. 

Thank you

Replication issue with The destination server is currently rejecting replication requests.

November 28, 2016, 6:52 am
$
0
0

I am facing issue with one of 2003 DC in our environment

error: The destination server is currently rejecting replication requests.

I have tried below Steps to troubleshoot the issue

1.C:\>repadmin /options

repadmin running command /options against server localhost
Current DC Options: DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

repadmin /options DCNAME -DISABLE_OUTBOUND_REPL

repadmin /options DCName -DISABLE_INBOUND_REPL

after 15 min its going back

2. checked the USN that each Domain Controller believes is correct for itself and its replication partners.

it got lot of differences between partners

C:\Program Files\Support Tools>repadmin /showutdvec XXXXXXX dc=XXX,dc=XXXX,dc=XX
Caching GUIDs.
..
Default-First-Site-Name\XXXXXXX (retired) @ USN   2143536 @ Time 2014-02-15
20:11:17
Default-First-Site-Name\XXXXXXX  @ USN   8241008 @ Time 2016-11-28 09:16:36
Default-First-Site-Name\XXXXXXX  @ USN  10352861 @ Time 2016-11-12 13:17:51
Default-First-Site-Name\XXXXXXX  @ USN   7625864 @ Time 2016-11-12 13:20:09
Default-First-Site-Name\XXXXXXX  @ USN   8139345 @ Time 2016-11-12 13:18:42 can any one suggest how can i fix the issue without Demoting the DC


Change password no working

November 28, 2016, 7:08 am
$
0
0

Good Morning

Since some security updates there are users who when they want to change the password of the following error

. It is impossible to change it on my laptop because it displays a message "The system detects a possible attempt to compromise the security, the security of being able to contact the server than the authentic one"

Have you reported this problem? Happens more or less since August.

Active directory on windows server 2008 r2

Clienes, windows 7 enterprise

Thank you for advance 

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>