Quantcast
Viewing all 31638 articles
Browse latest View live

Notification Active Directory changes via Mail alert

December 29, 2016, 12:26 am
$
0
0

Hi,

I want to get mail alert if any changes done in Active directory. like new User creation and user deletion, computer object creation and deletion, OU movement alert, account password reset alert, account locked out alert.

Please suggest any one how it's done via POWERSHELL...

I found one AD group membership changes mail alert powershell script in technet and lazywinadmin page. please find the below screen shot. (https://gallery.technet.microsoft.com/Monitor-Active-Directory-4c4e04c7)

I need this kind of mail alert in User creation and deletion, Computer account creation and deletion, OU movement, Account password reset, Account Locked out alert.

Please any one help this out. Please suggest any idea on this.....

Thanks & Regards,

Arun C


Image may be NSFW.
Clik here to view.

Search

inconsistant share access in a file server with Domain Controller exceeded tombstone (forcebly demoted)

January 3, 2017, 12:01 am
$
0
0

hello everybody

I have an issue in my Share in the file server, the shares are not consistant

nslookup lookup to the server with the name works (not FQDN)

when I access with the name only \\servername\            it fails with access denied.

when I access with FQDN it success   but sometimes rarly fails with access denied

when I access with IP it success but sometimes fails with access denied.

the user I'm using is a domain admin and in the security tab of the shares local administrators have full controll and my user also has full controll.

I don't know what's going on, please help

this file server was also a domain controller exceeded tombstone life time.

this problem occured when I forcebly demoted the the DC

scom 2012

January 2, 2017, 10:51 pm
$
0
0
 

 Recently i am facing with my sql disk is getting full , The operations manager datawarehouse is growing and we tried the shrinking of log files , again the disk is getting full within 30 min.

then have created the space around 50 GB on  sql disk , the disk getting full within 30  min .

run the DWDatarp , found that the configuration data set  showing the 99% of the disk utilization .

I checked with another Scom server , configuration data set showing only  10 % of the disk utilization

Dataset name                   Aggregation name     Max Age     Current Size, Kb
------------------------------ -------------------- ------- --------------------
Alert data set                 Raw data                  10        17,512 (  0%)
Client Monitoring data set     Raw data                  30             0 (  0%)
Client Monitoring data set     Daily aggregations       400            32 (  0%)
Configuration dataset          Raw data                  30   289,485,560 ( 98%)
Event data set                 Raw data                  10     1,731,888 (  1%)
Microsoft.Exchange.2010.Dataset.AlertImpact Raw data                   7             0 (  0%)
Microsoft.Exchange.2010.Dataset.AlertImpact Hourly aggregations        3             0 (  0%)
Microsoft.Exchange.2010.Dataset.AlertImpact Daily aggregations       182             0 (  0%)
Microsoft.Exchange.2010.Reports.Dataset.Availability Raw data                 400            16 (  0%)
Microsoft.Exchange.2010.Reports.Dataset.Availability Daily aggregations       400             0 (  0%)
Microsoft.Exchange.2010.Reports.Dataset.TenantMapping Raw data                   7             0 (  0%)
Microsoft.Exchange.2010.Reports.Dataset.TenantMapping Daily aggregations       400             0 (  0%)
Microsoft.Exchange.2010.Reports.Transport.ActiveUserMailflowStatistics.Data Raw data                   3            24 (  0%)
Microsoft.Exchange.2010.Reports.Transport.ActiveUserMailflowStatistics.Data Hourly aggregations        7         1,648 (  0%)
Microsoft.Exchange.2010.Reports.Transport.ActiveUserMailflowStatistics.Data Daily aggregations       182           480 (  0%)
Microsoft.Exchange.2010.Reports.Transport.ServerMailflowStatistics.Data Raw data                   7           152 (  0%)
Microsoft.Exchange.2010.Reports.Transport.ServerMailflowStatistics.Data Hourly aggregations       31            80 (  0%)
Microsoft.Exchange.2010.Reports.Transport.ServerMailflowStatistics.Data Daily aggregations       182           144 (  0%)
Microsoft.Windows.Client.Vista.Dataset.ClientPerf Raw data                   7             0 (  0%)
Microsoft.Windows.Client.Vista.Dataset.ClientPerf Daily aggregations        91             0 (  0%)
Microsoft.Windows.Client.Vista.Dataset.DiskFailure Raw data                   7             0 (  0%)
Microsoft.Windows.Client.Vista.Dataset.DiskFailure Daily aggregations       182             0 (  0%)
Microsoft.Windows.Client.Vista.Dataset.Memory Raw data                   7             0 (  0%)
Microsoft.Windows.Client.Vista.Dataset.Memory Daily aggregations        91             0 (  0%)
Microsoft.Windows.Client.Vista.Dataset.ShellPerf Raw data                   7             0 (  0%)
Microsoft.Windows.Client.Vista.Dataset.ShellPerf Daily aggregations        91             0 (  0%)
Microsoft.Windows.Client.Win7.Dataset.ClientPerf Raw data                   7            16 (  0%)
Microsoft.Windows.Client.Win7.Dataset.ClientPerf Daily aggregations        91            16 (  0%)
Microsoft.Windows.Client.Win7.Dataset.DiskFailure Raw data                   7             0 (  0%)
Microsoft.Windows.Client.Win7.Dataset.DiskFailure Daily aggregations       182            32 (  0%)
Microsoft.Windows.Client.Win7.Dataset.Memory Raw data                   7             0 (  0%)
Microsoft.Windows.Client.Win7.Dataset.Memory Daily aggregations        91             0 (  0%)
Microsoft.Windows.Client.Win7.Dataset.ShellPerf Raw data                   7             0 (  0%)
Microsoft.Windows.Client.Win7.Dataset.ShellPerf Daily aggregations        91             0 (  0%)
Performance data set           Raw data                  10       453,304 (  0%)
Performance data set           Hourly aggregations       10       928,008 (  0%)
Performance data set           Daily aggregations        30        62,504 (  0%)
State data set                 Raw data                  10       162,992 (  0%)
State data set                 Hourly aggregations       10       751,856 (  0%)
State data set                 Daily aggregations        10       362,416 (  0%)

Active Directory user and group migration Issue through ADMT

January 3, 2017, 12:34 am
$
0
0

Hi Team,

scenario : migrating domain controller to other 

trust is built between the domain controllers and observed that it is working fine

ping and admin privileges are also working fine

when i start migrating the user i am getting the below error which is stopping me to migrate the user and groups

attached here with the error message. 

Image may be NSFW.
Clik here to view.

 please suggest what needs to be done.

Thanks in advance.

BalaY

schedule backup for GPOs using a script

January 3, 2017, 4:53 am
$
0
0

Hi,

I need to create a scheduled task and run it on the Domain Controllers each night to backup the Group Policies using a script. The resultant GPO backup will be placed on a file server share. The GPO’s will be need to be kept on disk for 30 days after which they will be deleted as part of the scheduled task.

Can you help me writing the script and how achieve the requirements above?

How To Change The whenCreated field in Active Directory

January 2, 2017, 2:00 pm
$
0
0

I have a user account which I want to modify the creation date. I found some info on another forum but it wasn't to detailed and didn't work for me when I went and tried it. My testing environment is all on Windows Server 2016. 

Login as a member of Schema Admins (preferably on the Schema Master FSMO)

Launch LDP.EXE

Connect to the Schema Master FSMO using LDP.EXE

Bind to the Schema Master using an account with Schema Admin permissions.

From the Browse menu, choose Modify

In the Modify dialog box, leave the DN field blank, and type schemaUpgradeInProgress in the Attribute field. In the Value field, enter the number 1. Click the Enter button, then click the Run button.

Close the Modify dialog box.

Launch ADSIEDIT.MSC and modify the mAPIID values for the necessary attributes. (You may need to wait for the Active Directory to replicate.)

Run LDP again, and change the value of schemaUpgradeInProgress from 1 to 0.

From the Active Directory Schema console, right click on the console and choose "Reload the Schema"

Is there any more detailed methods on how to accomplish this task?

Active Directory Forest Mergers / consolidation

November 19, 2013, 3:13 am
$
0
0

Hi Everyone

I'm in the project planning phase of 5 to 1 new AD forest merger. I plan on using a migration manager like Quest or NetIQ. This is strictly an AD migration, no Exchange servers in the environment. I haven't build the lab environment yet, so I can't yet test any solution, however we will be performing test migration. I'm attempting to estimate time / effort and resources for this migration. 

My question:

When planning the AD User object migration, how many objects should I realistically plan to migrate per evening? Should I plan for 100/evening, 500/evening, 1000...?

What should I expect as a margin for error? How many support calls should I expect to receive per migration batch?

Same question with regards to workstations and servers? 

Any help is appreciated.


Ernie Prescott

Windows XP supported client operating system in Windows Server 2012 R2 domain?

January 3, 2017, 7:29 am
$
0
0

Hello,

We're in a process to upgrade our Domain Controllers running 2008R2 to 2012R2.

This article implies that Windows XP is not supported client OS in 2012 domain. Is this correct? We still have about 10 XP boxes joined to our domain.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/deploy/upgrade-domain-controllers-to-windows-server-2012-r2-and-windows-server-2012#a-namebkmksysreqsaoperating-system-requirements

Search

Event ID 4768 | Result Code 0x12

December 21, 2016, 3:34 pm
$
0
0

We have an old Domain Admin account that we're retiring, the account has been disabled but seems to be requesting Kerberos tickets from one of the DCs, how can we track where or what is still using this account.

Below is the Event ID being generated:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Logged: 12/20/2016 16:54:53
Event ID: 4768
Level: Audit Failure
User:
Computer: DC3.domain.com

A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name: AdminAcct
Supplied Realm Name: domain.com
User ID: S-1-0-0

Service Information:
Service Name: krbtgt/domain.com
Service ID: S-1-0-0

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x12
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.


Replication access was denied

January 3, 2017, 9:44 am
$
0
0

Hi Experts,we have 4 Writable domain controllers and 12 RODC.

When i type repadmin /replsummary /bydest /Bysrc in writable domain controller i get below error.."Replication access was denied" & "DSA operations is unable to to proceed because of a DNS lookup failure"

Could some one please guide me,how to troubleshoot this issue.

Image may be NSFW.
Clik here to view.



Senior System Engineer.

what rights are needed to do.....

January 3, 2017, 11:14 am
$
0
0

if you go into Computer Manager (on a remote machine) and drill down to:  Shared Folders \ Sessions what AD rights are required to end someone's session?    Does that require domain admin rights or can you grant limited rights and if so which rights?

Image may be NSFW.
Clik here to view.

mqh7

how to remove orphaned domain trust user account

January 3, 2017, 12:11 pm
$
0
0
I see an account under the Users container, named XYZ$, its userAccountControl attrobute is set to 2080 (PASSWD_NOTREQD | INTERDOMAIN_TRUST_ACCOUNT).  I assume this account was used for some sort of a domain trust relationship, however it was created years ago and nobody recalls.  I would like to remove this account.  One odd thing I noticed is the lastLogonTimestamp is unexpected, contains a value from one year ago.  I am not sure how that could be, but either way that is a fairly long time ago (by logon standards for anything that should be actively used).  I would like to remove this account, but keep getting permissions denied no matter what I try.

Who will be crowned the First Windows Server Guru of 2017!!

January 3, 2017, 6:07 pm
$
0
0

Image may be NSFW.
Clik here to view.

Time for a fresh start!

Image may be NSFW.
Clik here to view.

[The Guru is the means of realisation. "There is no knowledge without a teacher."]

We're looking for the first Gurus of 2017!!

All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

A snippet you share can make you a January 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!

HOW TO WIN 

Image may be NSFW.
Clik here to view.

Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.

Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).

Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favorite technology will help us learn the active members in each community. 

Feel free to ask any questions below.

More about TechNet Guru Awards.

Image may be NSFW.
Clik here to view. signature		  Ronen Ariely
 [Personal Site]    [Blog]    [Facebook]   [Linkedin]

Windows Could not connect to the group policy client service.

January 3, 2017, 7:59 pm
$
0
0

Hello Experts....One of our client is facing this issue on Windows 10 & 8 client machines. They can not login, it gives an error "Windows Could not connect to the group policy client service".There are multiple users who are facing this issue. 

Can you please help me what could be the problem. I am unable to resolve this. DC is running on Windows Server 2012 R2.

Thanks,

Sim

ad user attributes backup & restore

December 31, 2016, 1:55 am
$
0
0

Dear team

   How to backup & restore AD user attributes in windows 2012 R2. If it is possible GUI mode backup & restore.

please guide me how to take backup & restore AD users

Search

How to edge browser group policy block with windows 10 version 1607

January 3, 2017, 11:33 pm
$
0
0

Hello all ; 

I'm try again and again search group policy with windows 10 edge browser blocked ; but not anything i found it .

About the process any idea ? 

I'm waiting for your ideas . 

Help figuring out what's locking a domain account

January 4, 2017, 1:21 am
$
0
0

Hello,

I need some help figuring out why an account is locked out on a daily basis. It is done on a SQL server and apparently by the SSRS.

Here's the event:

An account failed to log on.

Subject:
Security ID:S-1-5-80-1343824832-3923883481-2178675695-19353822-2341032094
Account Name:ReportServer$XXXXX
Account Domain:NT Service
Logon ID:0x3419C

Logon Type:2

Account For Which Logon Failed:
Security ID:S-1-0-0
Account Name:xxxxx
Account Domain:xxx

Failure Information:
Failure Reason:Unknown user name or bad password.
Status:0xC000006D
Sub Status:0xC000006A

Process Information:
Caller Process ID:0xafc
Caller Process Name:E:\Microsoft SQL Server\MSRS11.XXXXX\Reporting Services\ReportServer\bin\ReportingServicesService.exe

Network Information:
Workstation Name:LONSQL1
Source Network Address:-
Source Port:-

Detailed Authentication Information:
Logon Process:Advapi  
Authentication Package:Negotiate
Transited Services:-
Package Name (NTLM only):-
Key Length:0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

So it looks like the SQL Server Reporting Services is trying to use the referenced domain account for something. However I am unable to find any tasks that might be using those credentials. 

Is there a good way to figure out what is calling out for this process to run?

Thank You,

Wojciech

Site Link Bridges required for this architecture or not?

January 4, 2017, 12:55 am
$
0
0

I'm a little unsure on whether or not I should use Site Link Bridges with BASL disabled for my new AD design or not.  It is, essentially, a multi-hub and spoke architecture with a hell of a lot of WAN links.  

I'll try to keep it simple...

There is a main hub, EARTH, that can communicate with every single other site.

There are 6 other hubs each with a varying number of spokes off them.  The spokes cannot communicate with each and the hubs themselves cannot communicate with each other.  

So, for example, let's assume there are two other hubs called MARS and JUPITER, each with two spokes (MARS1, MARS2, JUPITER1 and JUPITER2).

EARTH can communicate with MARS, MARS1, MARS2, JUPITER, JUPITER1 and JUPITER2.

MARS can communicate with MARS1 and MARS2

JUPITER can communicate with JUPITER1 and JUPITER2

MARS1 and MARS2 cannot communicate, neither can JUPITER1 and JUPITER2.

MARS1/MARS2 cannot communicate with JUPITER1/JUPITER2

MARS cannot communicate with JUPITER

Obviously I need Site Links from EARTH to MARS and from EARTH to JUPITER and then individual Site Links from MARS to MARS1/MARS and JUPITER to JUPITER1/JUPITER2

However, do I then need to disable BASL and create Site Link Bridges containing the EARTH <> MARS, MARS <> MARS1 and MARS <> MARS2 Site Links or is simply OK to leave BASL enabled and ensure the Site Link Cost between EARTH and main hubs (i.e. MARS and JUPITER) are lower than the spoke Site Links?

We've had serious replication issues in the past due to poor replication design so my initial reaction was to disable BASL and strictly control replication with Site Link Bridges although I'm wondering if it would not simply be easier to leave BASL on and ensure that the Site Link Cost between EARTH and all main hubs be lower (say 50) than the cost between the hubs and their associated spokes


FIM R2 SP1 to MIM SP1 upgrade broke MIM Pwd Reset Portal

January 4, 2017, 2:38 am
$
0
0

Hi All,
After migrating from FIM R2 SP1 to MIM SP1 we are facing issue withpassword reset using the MIM Pwd Reset Portal.
Every time it is failing after weprovide the new password and confirmation password page. Below are the event viewer details.
[Note: Q & A and OTP isworking perfectly. Microsoft.CredentialManagement.ResetPortal]

If any one faced similar issue please share the experience. We tried few solution which was already posted in forum related to below error but no luck.

Error 1:Microsoft.IdentityManagement.CredentialManagement.Portal:System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: The Request contains changes that violate system constraints. ---> The web service client has encountered the following class of error: SystemConstraint Details: Failed Attributes: Additional Text Details: The Request contains changes that violate system constraints. Correlation Identifier: f66c1f53-9634-4182-9e4c-a195147d144b Failure Message: Request Identifier: --- Endof inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(Stringdomain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username) at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs) at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e) at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e) at System.Web.UI.TemplateControl.OnError(EventArgs e)at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously

Error: 2 The error page was displayed to the user. Details: Title: Access denied. Message: Error processing yourrequest: The operation was rejected because of access control policies. Source: The supplied request content violates system rules. Attributes: Details: The Request contains changes that violate system constraints. CorrelationId: f66c1f53-9634-4182-9e4c-a195147d144b RequestId: ErrorCode: 3001 CaughtTime: 01/02/2017 21:38:43 Web Portal: FIM Password Reset Portal Session Id: anxyhd55ox5lflbxcqszl155

Aswathy Raj



kinit command is not able to fetch/read C:\Windows\krb5.ini file on widnows 2012 server R2

December 21, 2016, 5:00 am
$
0
0

Hi

In order to get a Kerberos ticket, I have created krb5.ini file (*1) on Windows server 2012 machine (*1) at location C:\windows\krb5.ini, but while trying to executekinit command by Administrator user below error occurred:

Exception: krb_error 0 Could not load configuration file c:\winnt\krb5.ini (The system cannot find t
he path specified) No error
KrbException: Could not load configuration file c:\winnt\krb5.ini (The system cannot find the path s
pecified)
        at sun.security.krb5.Config.<init>(Config.java:143)
        at sun.security.krb5.Config.getInstance(Config.java:75)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:137)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: java.io.FileNotFoundException: c:\winnt\krb5.ini (The system cannot find the path specified)

(*1) krb5.ini is as follows:

[libdefaults]
 default_realm = domain name
dns_lookup_kdc = true
dns_lookup_realm = true
 default_keytab_name = FILE:<keytab file location>
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
[realms]
        domain name = {
   kdc = machine name.domain name
              default_domain = domain name       
}

Please help.

Thank You

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>