Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

Backward Comparability of Domain Functional Level 2008 R2?

December 28, 2012, 4:18 pm
$
0
0

All of our domain controllers are Server 2008, but the domain functional level is 2003.

We would like to upgrade all the domain controllers 2008 R2 and also upgrade the domain functional level to 2008 R2.

We see no reason why we would ever add any new domain controllers in the future that are not 2008 R2, so that is not a reason to not upgrade.  

However, if it causes problems with any of the company's line of business apps (some of which are very old from before 2003), we would might have to revert back to 2003 domain functional level.

If the issue was not noticed immediately, it would be a big mess to attempt to restore AD from backup.

Are there any kind of features/configuration/schema that any kind of application could be relying on the AD being at an older domain functional level?

Is there any way to test for this in advance of changing the domain functional level?

Search

how to create two domains with two servers in one physic network with windows server 2008 standard

December 28, 2012, 6:53 am
$
0
0
I have two new HP servers,20 clients & all connected to a 24 ports gigabit switch. I already configured one of the server with domain name user1. Now I want to configure the second server with different domain name user2. Someone told me that I can only configure the second server become child domain under the same forest. My intention is to configure the second server to be a NEW DOMAIN THAT does not have any connection WITH THE FIRST SERVER. Can some one advise how to make it?

Group Membership calculation ? slow

December 28, 2012, 6:29 am
$
0
0
We have citrix servers where we publish  an application that we grant access to users and they can launch and run it

If we instead of granting access to users individually , grant access to groups or nested groups a user is member of , the users do not get access immediately.

I am not even sure when a user who is member of the group or nested group will get access to application (i never wait to find that out)

So whenever user will say they are member of group but cant access the application , i add them individually in the application as user and they can work.

How long does it take an application that is published through citrix for a user ,to calucate the group membership. 

What does it depend on.can i force it to calculate quickly so that i dont have to add users individually.

Query on System.DirectoryServices.ActiveDirectory Csharp

December 28, 2012, 3:54 am
$
0
0

Hi,

I am using Domain object in System.DirectoryServices.ActiveDirectory namespace. When ever I query domain details using Domain.GetCurrentDomain or Domain.GetDomain, it establishes connection with domain controller. This connection can be seen with "netstat -ano|findstr 389" command.

Code:

Domain dom = Domain.GetCurrentDomain();

My question is, how to close the connection ? The only way I can close the connection is to dispose the Domain object. Since I have cached the Domain object in my code I don't want dispose it. The problem it raises is, 'ESTABLISHED' state remains for some time later it changes to 'CLOSE_WAIT'.

netstat -ano | findstr 389
  TCP    10.241.93.168:51291    154.1.124.156:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51297    154.1.124.154:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51302    154.1.124.158:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51320    154.1.124.155:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51323    154.1.124.153:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:51332    154.1.124.157:389      CLOSE_WAIT      8028
  TCP    10.241.93.168:53399    148.86.153.162:389     CLOSE_WAIT      8028
  TCP    10.241.93.168:53436    139.172.150.15:389     CLOSE_WAIT      8028

For security reason I need to eliminate this stale connection. Do let me know if you have any suggestions.

Thanks,Santhosh

DNS Authenticateing Issue

December 28, 2012, 7:46 am
$
0
0

I had a Windows Server 2003 SP1 Domain Controller on our domain and it was listed on many member servers as the primary DNS server. These same servers also had one of our other domain controllers listed as the secondary DNS server that is a Windows Server 2008 R2 SP1 domain controller.

I removed the Windows Server 2003 domain controller and replaced it with the Windows 2008 R2 domain controller. The issue that I had is that when the 2003 server was decommissioned a few of the other member servers never started using the secondary DNS server for resolution (the majority of them did). I had to go to those servers and change the primary DNS server entry to another DNS server to resolve this issue until I had the new Windows Server 2008 domain controller up and running.

My question is this. Why did these servers never attempt to use the secondary DNS server?

Any help with this would be greatly appreciated.

Leonard Hoffman

ADModify.net tool. Where can I find it?

February 24, 2009, 9:48 am
$
0
0
Hello,
I want to make bulk changes to users in AD through the ADModify.net tool, but I can't find this tool anywhere!
Can someone point me to the right direction on where to download this tool?

Thanks

Domain Rename: Cleaning Up After

April 19, 2012, 6:26 pm
$
0
0

I have just completed a domain rename operation on a Windows Server 2003 R2 domain that apparently came down smoothly, without errors and with everything working at the end. Quick background: This domain has two DCs and a bunch of XP SP3 client members. Nothing else. No other server members (other than the Control Station server that I created and added to the domain for the purpose of running rendom). No Exchange, no Internet (i.e., no visibility to anything outside the domain). Simple. After renaming the domain, I renamed the two servers, and also changed the IP addresses of every system (including all members) in the domain. Everything (DFS, AD, Group Policies, everything) works. Apparently. As far as I can tell... so far.

But I am bothered by the DNS structure and my clients (Windows XP members) are bothered by their default directory name. In DNS, I see entries for both the old domain name and the new domain name, and even though I set the new domain name to be primary via netdom, the old domain name records "appear to me" to be "in control".

Under Forward Lookup Zone for .(root) -> local, I have a folder for 'old_domain_name' that contains two Host(A) records, one for each DC -and- I have a folder for 'new_domain_name' that contains a Name Server (NS) record pointing back to 'computername.old_domain_name.local'. So this looks to me like 'new_domain_name' is just an alias or a pseudonym for old_domain_name. I sort of expected that after completing this procedure and cleaning up everything, old_domain_name would no longer appear in DNS. The way things look to me suggests that if I did (and if I could) delete or remove DNS entries referencing old_domain_name, everything would break (because new_domain_name depends on old_domain_name for its definition). Apparently.

But wait. Maybe not. Moving on down the tree, I have Forward Lookup Zone entries for old_domain_name.local and new_domain_name.local and _msdcs.old_domain_name.local and _msdcs.new_domain_name.local, and the entries associated with new_domain_name appear to be fully-populated, while the odl_domain_name entries are not. But there are still entries scattered throughout the tree that refer to old_domain_name.

So my question here is: Is this a problem, and would everything break if I tried to delete all the DNS records that are defined in terms of old_domain_name?

It might help here for me to add -- in case you were wondering why we changed everything, including the IP addresses of every system in the domain -- all of this operation is in preparation for a new domain, currently bearing the same names and IP addresses and structure as old_domain_name ... to join the forest.  In other words, we have two identically configured domains, each standing alone with no knowledge of each other or anything else in the world ... and we need to join them together as two DIFFERENT domains in the SAME FOREST. So ONE of the domains has to change its name, the names of its DCs, and all of its IP addresses. And my domain is the lucky one that gets to change.

So... it is my assumption that in MY domain, I need to get rid of all remnants and vestiges of old_domain_name, as well as its computernames and IP addresses. Before we join our two extant domains at the hip in a common forest. So on this basis, I think the remnants of old_domain_name in my current domain could be a problem. Down the road and around the next corner.

The other name problem -- and this is (I think) a completely separate problem and a problem in name only -- is that my Windows XP client members, all of which are well-aware of the new domain name, still associate with each computer user a default directory of the form

C:\Documents and Settings\<username>.old_domain_name

Is there a way to change this to C:\Documents and Settings\<username>.new_domain_name ??  Maybe just rename the directory and watch everything break? I think that this is just a name issue, not a functionality issue, but my users are picky. I'm less worried about this than about the remnants of old_domain_name in my DNS.

Any suggestions about either of these "clean up" issues will be greatly appreciated !!

Chris

When we restart primary DC we can't do RDP connection's to any machine/server in the organization

December 27, 2012, 4:28 am
$
0
0

Greetings!

We have two domain controllers (windows 2008 r2 servers).

* Primary DC (global catalog)

* Secondary DC (FSMO holder)

When we restart primary DC in the time of restarting we are unable to do any RDP to connections inside the domain.

Secondary DC is also a DNS server. Repliciation should be working (since the last check). We are trying to find out the reason, why RDP to other machines thru hostname or IP is not working while Primary DC is being restarted.

Domain Functional level: 2003

Forest Functional level: 2003

When we run: dcdiag /test:DNS on both server we recieve error:

TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone company.local

Any hints would be most then appreticiated.

With best regards,

bostjanc


Search

Folder permissions Issue

December 30, 2012, 7:56 pm
$
0
0

Hi,

I have a application, in which I want to access the folder on Windows7 and VS2010 development environment. Based on the input commend (eg: dir, ls, etc) the folder is accessed. If the user is denied for access then it should not allow even if the user is"Administrator". In my existing  application I am firing the command thru system() function which behaves correctly. How ever for new modification I don't want to use sytem() function so as a replacement I am using FindFirstFile(), FindNextFile(), _stat64(). I want if the administrator is denied access to a particular folder on the same  machine then it should not access the folder. FindFirstFile(), FindNextFile(), _stat64()which is leading to a wrong behavior.

Please let me know whether this can be achieved for "Administrator" user.

Thanks in Advanvce..!!

Active Directory Sizing tool for Windows 2008 R2

June 6, 2011, 10:37 pm
$
0
0

Hi,

 

Do we have any Active directory tool for WIndows 2008 /R2 ? I am in  process of designing an AD for large group and wanted help in sizing the infra. It will be great if we have anythng like Exchange sizing tool for designing and sizing of Windows 2008 R2 Active directory also...

 

Pls help...

Thanks for your revert...

Regards Mahesh

Active Directory users can access with the old password !!!!

December 31, 2012, 1:00 am
$
0
0

Hello all,

We have many application and third party integrated with active directory but i face the following issue with all application also with Exchange 2010 SP2,

when i reset password for particular user he can access his account  with the old password for period time that happens only  with integrated applications but domain logon works fine , is that a normal behavior, can we handle it , thanks all.



Set a time server in the domain

December 30, 2012, 11:46 pm
$
0
0

Dears,

how to set the time server in my domain, currently I have two domain controllers with 5 minutes difference between them

Thanks

Is there a Delegation assistant through ADAC ?

December 31, 2012, 1:38 am
$
0
0

Hi,

simple question.

Is there a delegation assistant through ADAC or do I still have to use the ADUC console even on my Windows 2012 box ?

Thank you

The user is a part of the following security groups - ERROR: An unexpected error occurred.

December 31, 2012, 1:48 am
$
0
0

Hi,

I'm trying to troubleshoot my GPO

when using when using GPRESULT /R on windows8 client machine COMPUTER SETTINGS are not displayed only the USER SETTINGS and getting an error:

   The user is a part of the following security groups
   ---------------------------------------------------
       ERROR: An unexpected error occurred.

What could be causing this?


Active Directory User/Group Sync !

December 31, 2012, 12:14 am
$
0
0

Hello,

We have Windows 2008 R2 Domain and various servers like SharePoint, TFS, TMG in existing domain.

But when I add a User to a existing project group in A.D its shows it exists, but when I check the same project group in TFS Project it doesn't.

The time it takes to synchronize is too long almost 45 mins - 1 hour.

Since all our servers are virtual Machines hosted on 2 Hyper-visors only which has a network card of 1 Gb each. The Synchronization time it takes is too long.

Can any one suggest the solution for this please? 

Search

Taskpad view for managing AD users on Windows 7 or Windows 8 ?

December 31, 2012, 2:38 am
$
0
0

Hi,

is it still possible to configure delegation on a Windows 7 or WIndows 8 computer to manage AD Users ?

For example if I want to delegate control on a specific OU and I want to create a specific MMC (with specific Taskpad view) for that, Can I still do that on Windows 7 /8 ?

I was able to create a custom view MMC on Win 7/8 but didn't find any way to create a custom Taskpad view for them.

If it is not possible, is there any other solution ?

Thanks

LDIFDE error

June 7, 2009, 11:41 pm
$
0
0

Hi

I am trying to Import users newusers.ldf with LDIFDE. here is the file contents but i am getting error is there any one can help. thanks in advance. here is LDF file

 DN: cn=April Stewart,OU=People,DC=Contoso,DC=com
ChangeType: add
CN: April Stewart
objectClass: user
sAMAccountName: april.stewart
userPrincipleName: april.stewart@contoso.com
givenName: April
sn: Stewart
displayName: Stewart, April
mail: april.stewart@contoso.com
description: salesRepresentative in the USA
title: Sales representative
Department: Sales
company: Contoso, Ltd.


DN: CN=Tony Krignen,OU=People,DC=Contoso,DC=com
changeType: add
CN:Tony Krignen
objectClass: user
sAMAccountName: tony.Krignen
userPrincipleName: tony.Krignen@contoso.com
givenName: tony
sn: Krignen
displayName: Krignen, tony
mail: tony.krignen@contoso.com
description: salesRepresentative in the USA
title: Sales representative
Department: Sales
company: Contoso, Ltd.

This is the error i am getting, as far as i know i am fallowing MSpress book instruction and there is no typo it is same as book says.



C:\Users\Administrator\Documents>ldifde -i -f Newusers.ldf -k
Connecting to "SERVER01.CONTOSO.COM"
Logging in as current user using SSPI
Importing directory from file "Newusers.ldf"
Loading entries.
Add error on entry starting on line 1: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operati
on, data 0, v1771
0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

C:\Users\Administrator\Documents>

AD LDS in DMZ

December 26, 2012, 9:57 am
$
0
0

I set up a stand alone AD LDS server in DMZ, and was able to configure it to adamsync to our internal AD manually. The way I sync is to run adamsync as a local administrator, while in the configuration XML file I added internal AD user (see below). 

<source-ad-account>adldsuser</source-ad-account>
<account-domain>domain.us</account-domain>

When I run adamsync, I use /passprompt to enter domain\adldsuser password in command line. The problem is obvious: I have to remember to login to manually sync it every a couple days. I am desperate to know how to schedule it so that it can sync automatically. I tried search online but can't find any solution to it. 

In a practical world, how do you guys configure AD LDS in DMZ? and how to you accomplish syncing automatically?

Thanks

Byron

Set a default profile path and group membership based on which OU a user is put in

December 31, 2012, 11:33 am
$
0
0

Hey  all,

I have a very simple PS script that imports users via .csv to a generic import OU. From there I need to move them into 1 of 3 main OU's. depending on which OU they are put in they need to have a profile path set and a group membership added. My question is can I do this in AD or maybe a GPO or will I have to make another script to do this? I'm trying to keep this simple. Any thoughts are much appreciated :)

2008 R2 EE Enterpise Root CA

December 31, 2012, 7:55 am
$
0
0

Dears

I have new installtion of WIindows 2008 R2 EE, with Enterpise Root CA
Based on this link http://technet.microsoft.com/en-us/library/hh467900.aspx I have created OperationsManagerCert template, the version number is 100.2
I cannot sign the request through /certsrv since it does not show versions higher than V2

How to sign my client request in this case?

Thanks

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>