AD Replication
Create and update a system variable for the current site
Hello.
Sorry if this is the wrong forum for this, but I need some help with a system variable.
Imagine a user using hos laptop in London, hibernates it and takes a plane to Tokyo and continues there without a reboot. He just unlocks his laptop as it comes out of hibernate. I need to create and update a system-variable depending on which AD-site the client
is located in. This variable has to update itself automatically depending on where the computer is located, and it can't require a reboot.
I have used GP Preference to create a system-variable named "CurrentSite" and I'm trying to set it's value to the current site in AD based on the clients IP-address. Something like the output from "nltest /dsgetsite" But here comes the challenge: I've created
a .bat file like this
nltest /dsgetsite>c:\batch\currentsite.txt
set /p CurrentSite=<c:\batch\currentsite.txt
del c:\batch\currentsite.txt
but when I run it the output is this (There's a 1 and a 0 in the middle of the line now)
C:\Batch>nltest /dsgetsite 1>c:\batch\currentsite.txt
C:\Batch>set /p CurrentSite= 0<c:\batch\currentsite.txt
C:\Batch>del c:\batch\currentsite.txt
Also I'm not sure how to get rid of the "The command completed successfully" output and how that would interfere. The funny thing is that this has worked earlier but now it fails every time and I haven't touched the script.
The secnd challenge is to have this updated automatically. I've tried to set up an scheduled task using Group policy preferences which runs this batchfile whenever a user logs on or unlocks his workstation, but it looks like the triggers aren't working. Any
suggestions?
also if anyone knows a better way to solve this, I'd love to hear it.
Thank you all in advance
Regards Per-Torben Sørensen
change attribute property of default schema of ADLDS
Is there any impact on performance, search query or any operation?
W2K8 forest domain and sites and services
We have a Win 2K8 network. We have an empty forest root with 2 forest root domain controllers (call them forestdc1 and forestdc2). We have a domain in the forest with 3 domain controllers (call them domaindc1, domaindc2 and domaindc3). Everything is in one
office building connected by LAN.
Are you supposed to put the 3 domain controllers (domaindc1, domaindc2 and domaindc3) in the sites and services of the forest root along with the forest root domain controllers (forestdc1 and forestdc2)?
How to Combine Multiple Active Directory forests using ADAM/LDS
The goal here is to configure an application that can speak to LDAP but only with ONE LDAP System. As i have 9 LDAP systems, i´m thinking in "combine" these multiple forests in a sigle LDAP database
I have 9 forests (main forest win2008R2 and other 8 forests mixed win2008/WIn208R2)
How can i create a LDAP local "metadirectory" to gather all forests in a single LDAP database?
I need to do something very similar as described in the doc:
"How to Combine Multiple Active Directory LDAP realms for use with Openfire.doc"
(in google: how to combine two active directory LDAP realms)
I tried to follow the procedure but it is related to Win2003, but i have a 2008 domain
There is a way?
There is a special consideration?
CA Migration
Hello, I am beginning the process of a CA migration on our domain; specifically there are two main questions that I would appreciate any clarifications on:
- What is the procedure to add the root CA to GPO
- Is the root ca in GPO enough or do both the root and the subordinate CA need to be in there?
Also if there are any links to documentation, that would be most helpful.
Thanks!
TS
Your account has expired. Please see your system Administrator "Server 2008 R2 Enterprise"
I came across one of the Troubleshooting questions in AD preparation exams that says you receive a message "Your account has expired. Please see your system administrator". All I know is that The Password is what we can assign to never expire or changed. As for the Account it can be Locked or disabled...!!
I searched and found some similar questions but for older version of Windows, I'm running Windows Server 2008 R2 Enterprise. but I can't find any Tab in User properties for the Account Expiry.
Server 2008 R2 DC DHCP folder incorrect permissions, being applied by Default Domain Controllers Policy
Hi
I have installed the first Server 2008 R2 domain controller in to my forest. All other DCs are running Server 2003, and are a mix of R2 and non-R2.
Everything regards the dcpromo etc went OK, but I seem to be having an issue with the DHCP server role that I installed to the Server 2008 R2 DC. There are errors being logged in the event log, referring to "Access denied". The other thing that it affected, is trying to do a backup from within the DHCP console on the 2008 R2 DC. It fails, same reason.
Testing, I added the "Network Service" account to the c:\windows\system32\dhcp folder and gave it read/modify rights. I then tested the backup, and it worked. The DHCP server service runs as Network Service, this must be standard as I've not changed it.
After I confirmed the backup had worked, I ran "gpudpate /force". After doing this, the permission had been removed and the backup no longer functioned.
Please can somebody confirm whether there is a step that I may have missed, or if it is a known issue. I notice a group in AD called DHCP Administrators, but even this group doesn't have permission on the folder. Are my domain policies not upgraded for Server 2008 R2 DCs?
Many Thanks
Mark.
adding AD user account to local admin group doesn't work properly
hello
we are running Win 2008 R2 domain controller with SP1. I have strange issue with one user account. the stange behavior happened, when I try to add this account to local administrators group on any domain member server. when I type the user name in the Select Users, Computers< Service Accounts, or Group" box and click "Check Names" button and got the windows for the Name not found. what I do, click the Locations button and select Entire Directory, then the AD can find the user account.
can anyone explain why this happen?
Systems Specialist
is'it possible to create Trust Between domains in Forests with the same NetBIOS Domain?
I have two forests:
abc.com forest with a child domain xyz.abc.com and a second forest called abc.net.
abc.com and abc.net have the same NetBIOS name "abc"
abc.com domain it's an empty root domain, all resources and accounts are created in xyz child domain
I have to create a trust between xyz.abc.com and abc.net but it's not possible because xyz has already a TDO (trust domain object) with abc name?
the constraint is caused only between roots domains.
What's the risk to rename the NETBIOS the root domain of abc.com? in this forest we have Exchange 2010
What is the impact if we broke temporarly the trust between child and parent root ?
is there a work around to permit mutual acces the resources between xyz.abc.com and abc.net without double authentication
Thanks
Lourh
DNS Query to UDP port 53 to PDC Times out
I am using PortQry to check the port connectivity between my Domain Controllers located in different sites. All the Domain Controllers return DNS Query to UDP Port 53 whereas only one site's Domain Controllers including the PDC returns the query as timed out. I have checked after disabling the windows firewall as well. PortQry result also mention that UDP port 53 (domain service): LISTENING or FILTERED
What can be the problem?
Unable to perform recovery in Directory Services Restore Mode
I'm trying to perform a recovery in Directory Services Restore mode, but I can't because I can't get access to backup, which is on a remote shared folder. I have no network access at all, which is causing the problem. The think is the moment I switch back to normal operation my connectivity is fine. I have it set statically, but no matter what I do in Directory Services Restore mode I can't get connectivity back.
Any ideas would really be appreciated! Thanks.
Export few users profile path and home drive from AD
I have 80,000 users are in my domain (multi domain environment), I would like to know particular 500 users home profile path are configured in which server. Is there any option to export from AD without much affecting server performance and sites. Also, these many users are spread to 10 file servers. I would like to use Microsoft tools / using script.
Actually, I need to filter users account which is residing only from a particular server.what are the possible reasons for this error "the trust relation between this workstation and the domain failed"
open contact closure (dc)
kolombiyalı bir taksi şöfürü!
Enterprise Subordinate Certificate Authority Error
Hello,
I'm trying to set up a 2-tier PKI in my lab environment. I've set up my standalone (offline) root CA, and installed a enterprise subordinate Certificate Authority.
However, the service wont start on my enterprise CA, I get the following error:
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885612).
I've published the CRL and AIA on a network share on the subordinate enterprise CA, and the locations are referred to in the certificate in the following manner:
CRL: file://\\cert.domain.com/CertEnroll$/ROOT-CA.crl
AIA: file://\\cert.domain.com/CertEnroll$/ROOT-CA_ROOT-CA.crt
cert.domain.com is a DNS-alias for the subordinate enterprise CA, and resolves. Accessing the files above through the Run-command is not an issue. At this point, I'm completely stuck and can't find anything on the internet that would bring me closer to a solution.
Any help is much appriciated.
Thanks.
Adding new DC / DNS Timing Out
We have a Windows Server 2003 DC (ccdc2) and a new Windows 2008 R2 server (cc-server)
I am trying to get the Win 2008 R2 joined up and promoted to a DC so we can retire the 2003 server.
I get all the way through the DCPROMO and start the process and the DNS fails, timesout.
cc-server has ccdc2 set as the primary DNS. When I try and do a NSLOOKUP from cc-server it will timeout. However, when I try and do a NSLOOKUP from my laptop, using DHCP and the SAME DNS server, it works just fine.
To add to the mystery, I can ping ccdc2 from the new cc-server and it will resolve the hostname correctly without any issues. But no internet addresses like google.
So WTF is going on??
Below is the ipconfig /all from the cc-server
Windows IP ConfigurationHost Name . . . . . . . . . . . . : CC-SERVER
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP Ethernet 1Gb 2-port 330i Adapter
Physical Address. . . . . . . . . : 44-1E-A1-D3-B1-0C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1833:eb7b:39f2:edec%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.101.250(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.101.1
DHCPv6 IAID . . . . . . . . . . . : 239345313
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-5A-03-CE-44-1E-A1-D3-B1-0C
DNS Servers . . . . . . . . . . . : 192.168.1.51
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{14FBB576-9F8B-4F28-9D10-EBCB2E0EDBDB}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Let me know if you want any other logs, but nothing else looks to have any errors.
I've tried the following solutions and no luck:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f8da7378-db99-4e25-a8f9-c6103dd809d4
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/cf1c0434-3545-4a50-8774-38416e11c417
Help with Setting up an AD DS
I am setting up a AD DS on a machine that also has a DNS, I know not an ideal situation, but it is not a production box. I get through the setup fine, but when I try to connect to the DS server, it says that it cannot find it. I did not setup a DNS profile in the setup process. I did this before and it wouldn't allow me to resolve external DNS requests.
I tried following this page, but there is a disconnect between technologies, it works on a 2000 server, I am using a 2012 server.
Thank you in advance.
2008 R2 DC and NT4 clients - compatibility
Hi everyone,
We are running a single forest/single domain with two domain controllers. Domain functional level is Windows 2000 Native. Forest functional level is Windows 2000. The two domain controllers are both Windows 2003.
We would like to add a 2008 R2 DC to the domain. Adprep /forestprep and adprep /domainprep /gpprep are done already and went fine.
Before we do the dcpromo on the 2008 R2 we would like to be sure about some things....
We are still using a bunch of NT4 workstations. On these systemes people login to the domain and use mapped network drives to access data on shared folders on our 2003 fileserver.
If I enable the "allow cryptography algorithms compatible with Windows NT 4.0" group policy setting of the "default domain controllers policy", will this be sufficient to:
- allow people to login to the domain from an NT4 workstation ?
- add new NT4 workstation to the domain (add computer account) ?
If I don't enable "allow cryptography algorithms compatible with Windows NT 4.0"
- will people be able to map a network drive to \\SRV2\share1 using an account present in the local SAM of SRV2 (2003 member server) ?
Thanks in advance !
Kind Regards
Stijn
Unable to verify domain trust on one side of the trust (not all DCs can ping) HELP!!
Here's a great one for the experts!!
Main Site LC Domain
LCDC1, LCDC2, LCDC3
Remote Site LC Domain
LCDC4
Newly Purchased Company NA Domain
NADC1, NADC2, NADC3
We have established comms between LC and NA sites but the issue is that LCDC1,2 & 3 are on a subnet we are unable to route to NA. The only domain controller able to communicate with NA is at a remote site LCDC4. DNS (conditional forwarders) is up and working. Servers in all three locations can talk to each other (apart from LCDC1,2,3) DNS resolves to correct IP but obviously due to network comms they dont repond.
Therefore I have logged into LCDC4 and established a one way external trust to NA. Everything worked to a point. I was able to validate the trust on NADC1 but not on LCDC4. The error coming back is 'The secure channel (SC) reset on domain controller. LCDC1 There are currently no logon servers to service this request'.
Looks to me like LCDC1 is trying to validate the trust with NA site. Can I force trust comms only between LCDC4 and NA site? I've read a great blog post where someone had something similar but our setup only has LC and NA domains.
One way trust is all that's required. We just need to provide NA with LC resources. Currently I can login to an LC domain controller and see NA accounts so I can add to AD groups. I'm just worried that because LC can't verify something might go wrong in the future.
Please help!