Quantcast
Viewing all 2536 articles
Browse latest View live

AD Replication

What happens to AD Replication in Server 2008R2, when two different Admins create an identical user in the same domain, but from different locations?

Create and update a system variable for the current site

Hello.

Sorry if this is the wrong forum for this, but I need some help with a system variable.

Imagine a user using hos laptop in London, hibernates it and takes a plane to Tokyo and continues there without a reboot. He just unlocks his laptop as it comes out of hibernate. I need to create and update a system-variable depending on which AD-site the client is located in. This variable has to update itself automatically depending on where the computer is located, and it can't require a reboot.

I have used GP Preference to create a system-variable named "CurrentSite" and I'm trying to set it's value to the current site in AD based on the clients IP-address. Something like the output from "nltest /dsgetsite" But here comes the challenge: I've created a .bat file like this

nltest /dsgetsite>c:\batch\currentsite.txt
set /p CurrentSite=<c:\batch\currentsite.txt
del c:\batch\currentsite.txt

but when I run it the output is this (There's a 1 and a 0 in the middle of the line now)
C:\Batch>nltest /dsgetsite 1>c:\batch\currentsite.txt
C:\Batch>set /p CurrentSite= 0<c:\batch\currentsite.txt
C:\Batch>del c:\batch\currentsite.txt
Also I'm not sure how to get rid of the "The command completed successfully" output and how that would interfere. The funny thing is that this has worked earlier but now it fails every time and I haven't touched the script.

The secnd challenge is to have this updated automatically. I've tried to set up an scheduled task using Group policy preferences which runs this batchfile whenever a user logs on or unlocks his workstation, but it looks like the triggers aren't working. Any suggestions?

also if anyone knows a better way to solve this, I'd love to hear it.

Thank you all in advance


Regards Per-Torben Sørensen


change attribute property of default schema of ADLDS

I need to increase default schema attribute rangeUpper, for attribute title(64), postofficeBox(40) etc.

Is there any impact on performance, search query or any operation?

W2K8 forest domain and sites and services

We have a Win 2K8 network. We have an empty forest root with 2 forest root domain controllers (call them forestdc1 and forestdc2). We have a domain in the forest with 3 domain controllers (call them domaindc1, domaindc2 and domaindc3). Everything is in one office building connected by LAN.

Are you supposed to put the 3 domain controllers (domaindc1, domaindc2 and domaindc3) in the sites and services of the forest root along with the forest root domain controllers (forestdc1 and forestdc2)?

How to Combine Multiple Active Directory forests using ADAM/LDS

The goal here is to configure an application that can speak to LDAP but only with ONE LDAP System. As i have 9 LDAP systems, i´m thinking in "combine" these multiple forests in a sigle LDAP database

I have 9 forests (main forest win2008R2 and other 8 forests mixed win2008/WIn208R2)

How can i create a LDAP local "metadirectory" to gather all forests in a single LDAP database?

I need to do something very similar as described in the doc:

"How to Combine Multiple Active Directory LDAP realms for use with Openfire.doc"

(in google: how to combine two active directory LDAP realms)

I tried to follow the procedure but it is related to Win2003, but i have a 2008 domain

There is a way?

There is a special consideration?

CA Migration

Hello, I am beginning the process of a CA migration on our domain; specifically there are two main questions that I would appreciate any clarifications on:

- What is the procedure to add the root CA to GPO

- Is the root ca in GPO enough or do both the root and the subordinate CA need to be in there?

Also if there are any links to documentation, that would be most helpful.

Thanks!

TS

Your account has expired. Please see your system Administrator "Server 2008 R2 Enterprise"

I came across  one of the Troubleshooting questions in AD preparation exams that says you receive a message "Your account has expired. Please see your system administrator". All I know is that The Password is what we can assign to never expire or changed. As for the Account it can be Locked or disabled...!!

I searched and found some similar questions but for older version of Windows, I'm running Windows Server 2008 R2 Enterprise. but I can't find any Tab in User properties for the Account Expiry.

Server 2008 R2 DC DHCP folder incorrect permissions, being applied by Default Domain Controllers Policy

Hi

I have installed the first Server 2008 R2 domain controller in to my forest.  All other DCs are running Server 2003, and are a mix of R2 and non-R2.

Everything regards the dcpromo etc went OK, but I seem to be having an issue with the DHCP server role that I installed to the Server 2008 R2 DC.  There are errors being logged in the event log, referring to "Access denied".  The other thing that it affected, is trying to do a backup from within the DHCP console on the 2008 R2 DC.  It fails, same reason. 

Testing, I added the "Network Service" account to the c:\windows\system32\dhcp folder and gave it read/modify rights.  I then tested the backup, and it worked.  The DHCP server service runs as Network Service, this must be standard as I've not changed it.

After I confirmed the backup had worked, I ran "gpudpate /force".  After doing this, the permission had been removed and the backup no longer functioned.

Please can somebody confirm whether there is a step that I may have missed, or if it is a known issue.  I notice a group in AD called DHCP Administrators, but even this group doesn't have permission on the folder.  Are my domain policies not upgraded for Server 2008 R2 DCs?

Many Thanks

Mark.


adding AD user account to local admin group doesn't work properly

hello

we are running Win 2008 R2 domain controller with SP1. I have strange issue with one user account. the stange behavior happened, when I try to add this account to local administrators group on any domain member server. when I type the user name in the Select Users, Computers< Service Accounts, or Group" box and click "Check Names" button and got the windows for the Name not found. what I do, click the Locations button and select Entire Directory, then the AD can find the user account.

can anyone explain why this happen?


Systems Specialist

is'it possible to create Trust Between domains in Forests with the same NetBIOS Domain?

I have two forests:

abc.com  forest with a child domain xyz.abc.com and a second forest called abc.net.

abc.com and abc.net have the same NetBIOS name "abc"

abc.com domain it's an empty root domain, all resources and accounts are created in xyz child domain

I have to create a trust between  xyz.abc.com and abc.net but it's not possible because xyz has already a TDO (trust domain object) with abc name?

the constraint is caused only between roots domains.

What's the risk to rename the NETBIOS the root domain of abc.com? in this forest we have Exchange 2010

What is the impact if we broke temporarly the trust between child and parent root ?

is there a work around to permit mutual acces the resources  between xyz.abc.com and abc.net without double authentication

Thanks


Lourh



DNS Query to UDP port 53 to PDC Times out

I am using PortQry to check the port connectivity between my Domain Controllers located in different sites. All the Domain Controllers return DNS Query to UDP Port 53 whereas only one site's Domain Controllers including the PDC returns the query as timed out. I have checked after disabling the windows firewall as well. PortQry result also mention that UDP port 53 (domain service): LISTENING or FILTERED

What can be the problem?

Unable to perform recovery in Directory Services Restore Mode

I'm trying to perform a recovery in Directory Services Restore mode, but I can't because I can't get access to backup, which is on a remote shared folder. I have no network access at all, which is causing the problem. The think is the moment I switch back to normal operation my connectivity is fine. I have it set statically, but no matter what I do in Directory Services Restore mode I can't get connectivity back.

Any ideas would really be appreciated! Thanks.

Export few users profile path and home drive from AD

I have 80,000 users are in my domain (multi domain environment), I would like to know particular 500 users home profile path are configured in which server. Is there any option to export from AD without much affecting server performance and sites. Also, these many users are spread to 10 file servers. I would like to use Microsoft tools / using script.

Actually, I need to filter users account which is residing only from a particular server.

what are the possible reasons for this error "the trust relation between this workstation and the domain failed"

what are the possible reasons for this error "the trust relation between this workstation and the domain failed"

open contact closure (dc)

Hi, (using google translate) I found in the active directory / / ipnumber / c $ I want to close? How do I make.

kolombiyalı bir taksi şöfürü!


Enterprise Subordinate Certificate Authority Error

Hello,

I'm trying to set up a 2-tier PKI in my lab environment. I've set up my standalone (offline) root CA, and installed a enterprise subordinate Certificate Authority.

However, the service wont start on my enterprise CA, I get the following error:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885612).

I've published the CRL and AIA on a network share on the subordinate enterprise CA, and the locations are referred to in the certificate in the following manner:

CRL: file://\\cert.domain.com/CertEnroll$/ROOT-CA.crl

AIA: file://\\cert.domain.com/CertEnroll$/ROOT-CA_ROOT-CA.crt

cert.domain.com is a DNS-alias for the subordinate enterprise CA, and resolves. Accessing the files above through the Run-command is not an issue. At this point, I'm completely stuck and can't find anything on the internet that would bring me closer to a solution.

Any help is much appriciated.

Thanks.

Adding new DC / DNS Timing Out

We have a Windows Server 2003 DC (ccdc2) and a new Windows 2008 R2 server (cc-server)

I am trying to get the Win 2008 R2 joined up and promoted to a DC so we can retire the 2003 server.

I get all the way through the DCPROMO and start the process and the DNS fails, timesout.

cc-server has ccdc2 set as the primary DNS. When I try and do a NSLOOKUP from cc-server it will timeout. However, when I try and do a NSLOOKUP from my laptop, using DHCP and the SAME DNS server, it works just fine.

To add to the mystery, I can ping ccdc2 from the new cc-server and it will resolve the hostname correctly without any issues. But no internet addresses like google.

So WTF is going on??

Below is the ipconfig /all from the cc-server

Windows IP Configuration

   Host Name . . . . . . . . . . . . : CC-SERVER
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP Ethernet 1Gb 2-port 330i Adapter
   Physical Address. . . . . . . . . : 44-1E-A1-D3-B1-0C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1833:eb7b:39f2:edec%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.101.250(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.101.1
   DHCPv6 IAID . . . . . . . . . . . : 239345313
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-5A-03-CE-44-1E-A1-D3-B1-0C

   DNS Servers . . . . . . . . . . . : 192.168.1.51
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{14FBB576-9F8B-4F28-9D10-EBCB2E0EDBDB}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Let me know if you want any other logs, but nothing else looks to have any errors.

I've tried the following solutions and no luck:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f8da7378-db99-4e25-a8f9-c6103dd809d4
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/cf1c0434-3545-4a50-8774-38416e11c417

Help with Setting up an AD DS

I am setting up a AD DS on a machine that also has a DNS, I know not an ideal situation, but it is not a production box.  I get through the setup fine, but when I try to connect to the DS server, it says that it cannot find it.  I did not setup a DNS profile in the setup process.  I did this before and it wouldn't allow me to resolve external DNS requests.  

I tried following this page, but there is a disconnect between technologies, it works on a 2000 server, I am using a 2012 server.  

Thank you in advance.

2008 R2 DC and NT4 clients - compatibility

Hi everyone,

We are running a single forest/single domain with two domain controllers.  Domain functional level is Windows 2000 Native.   Forest functional level is Windows 2000.   The two domain controllers are both Windows 2003.

We would like to add a 2008 R2 DC to the domain.   Adprep /forestprep and adprep /domainprep /gpprep are done already and went fine.

Before we do the dcpromo on the 2008 R2 we would like to be sure about some things....

We are still using a bunch of NT4 workstations.   On these systemes people login to the domain and use mapped network drives to access data on shared folders on our 2003 fileserver.

If I enable the "allow cryptography algorithms compatible with Windows NT 4.0" group policy setting  of the "default domain controllers policy", will this be sufficient to:

- allow people to login to the domain from an NT4 workstation ?

- add new NT4 workstation to the domain (add computer account) ?

If I don't enable "allow cryptography algorithms compatible with Windows NT 4.0"

- will people be able to map a network drive to \\SRV2\share1 using an account present in the local SAM of SRV2 (2003 member server) ?

Thanks in advance !

Kind Regards

Stijn

Unable to verify domain trust on one side of the trust (not all DCs can ping) HELP!!

Here's a great one for the experts!!

Main Site LC Domain

LCDC1, LCDC2, LCDC3

Remote Site LC Domain

LCDC4

Newly Purchased Company NA Domain

NADC1, NADC2, NADC3

We have established comms between LC and NA sites but the issue is that LCDC1,2 & 3 are on a subnet we are unable to route to NA.  The only domain controller able to communicate with NA is at a remote site LCDC4.  DNS (conditional forwarders) is up and working.  Servers in all three locations can talk to each other (apart from LCDC1,2,3) DNS resolves to correct IP but obviously due to network comms they dont repond.

Therefore I have logged into LCDC4 and established a one way external trust to NA.  Everything worked to a point.  I was able to validate the trust on NADC1 but not on LCDC4.  The error coming back is 'The secure channel (SC) reset on domain controller.  LCDC1 There are currently no logon servers to service this request'.

Looks to me like LCDC1 is trying to validate the trust with NA site.  Can I force trust comms only between LCDC4 and NA site?  I've read a great blog post where someone had something similar but our setup only has LC and NA domains.

One way trust is all that's required.  We just need to provide NA with LC resources.  Currently I can login to an LC domain controller and see NA accounts so I can add to AD groups.  I'm just worried that because LC can't verify something might go wrong in the future.

Please help!

Viewing all 2536 articles
Browse latest View live