Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

Server for NIS SunRPC Port

January 9, 2013, 7:55 pm
$
0
0

I would like to know how I can restrict the possible range of ports that Server for NIS (nissvc.dll) uses.  Every time it starts up it starts under a different port in a range somewhere around 550-1000 or so.  I believe clients find out what port it is on by querying the SunRPC server on port 111 first to find out where it is and then query it for NIS services.  Since I have deployed host-based firewalls, it would be great if I could control what port nssvc comes up on so I could configure a firewall rule for it.  Further, it would be great if I could find out what other IDMU services might use dynamic ports through SunRPC so I could also set up rules for them.  Anyone have any references for me?

Thanks in advance.

Search

is it safe to disable snmp service in domain controller?

January 17, 2013, 6:52 am
$
0
0

is there any service or network equipment that is dependant on snmp on domain controller ?

example 802.1x authentication, or wlc authentication?

currently snmp is not being used for monitoring the domain controller and need to be disable

error while importing users via ldifde command

January 14, 2013, 6:09 am
$
0
0

Hello,

my ldif file pattern is below. 

DN: CN=SERHAT AKTAS,OU=tamfree,OU=beyazyaka,OU=brs_user,DC=BRISANET,DC=brisa,DC=com,DC=tr
changetype: add
accountExpires: 9223372036854775807
c: TR
cn: SERHAT AKTAS
co:: VMO8cmtpeWU=
codePage: 0
company: BRISA
countryCode: 792
department: Bilgi Sistemleri
displayName: SERHAT AKTAS
distinguishedName: 
 CN=SERHAT AKTAS,OU=tamfree,OU=beyazyaka,OU=brs_user,DC=BRISANET,DC=brisa,DC=co
 m,DC=tr
dSCorePropagationData: 20130114110424.0Z
dSCorePropagationData: 20130114102855.0Z
dSCorePropagationData: 20130114102229.0Z
dSCorePropagationData: 20121220092627.0Z
dSCorePropagationData: 16010101181633.0Z

I reveive the below error:

Add error on entry starting on line 1: No Such Attribute

The server side error is: 0x57 The parameter is incorrect.

The extended server error is:

00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data 0, v1db1

0 entries modified successfully.

An error has occurred in the program

the command that I use for exporting : 

ldifde -m -f PROD_tamfree.ldf -s localhost:389 -d "OU=tamfree,OU=beyazyaka,OU=brs_user,DC=BRISANET,DC=brisa,DC=com,DC=tr" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))"

the command that I use for importing : 

ldifde -i -f "PROD_tamfree.ldf" -s localhost:389

Note: source server and the target server is not the same. I'm trying to import the users in to a different domain (test domain)

what can be the reason of my issue?

What should be the scope of the group ?

January 16, 2013, 11:32 pm
$
0
0

Hi ppl,

I would like to create 3 different groups for 3 different operations. The 3 operations are listed below. Please suggest the scope of the 3 groups to be created and the reasons to choose those scopes.

  • Give privilege to access a network share folder to set of users within the domain
  • Give privilege to access same network share folder to child domain users
  • Give privilege to access same network share folder to cross forest domain users

Anand Kumar D

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

repadmin /bridgeheads show many sites without a bridgehead server

January 17, 2013, 7:12 am
$
0
0

Not sure if I should be worried about this, but when I run repadmin /bridgeheads it shows only about half of our 80 some odd sites have a bridgehead server. Or maybe I'm reading the output wrong?

I am doing this to check: repadmin /bridgeheads | Select-String "Bridgeheads for site"

I only get 41 lines back out of about 80 sites

We do not have any preferred bridgehead servers set. Does this warrant concern or am I just missing something?

AD Test Environment - how to refresh AD from Production Environment

January 17, 2013, 7:51 am
$
0
0

We want to be able to refresh the active directory on our test environment as it is about 1 year old.

How can we restore the AD from our production environment over to test.

Our production environment is running on physical windows 2008 servers.

Test environment is running on 2 virtual windows 2008 servers.

thanks

Question about UPN property format

January 17, 2013, 7:37 am
$
0
0

Very simple question:

In AD, is the "User Principal Name" property alwaysin the format [SAMAccountName]@[Domain] or can this be altered by a Domain or Enterprise Administrator?

Password policy is active but .......

January 9, 2013, 9:05 am
$
0
0

Hi

In our company domain, we have implemented password policy for particular group.In the password policy , password should not expire setting is set.And found the same policy is effective for the users in that group but when we check through command prompt by executing netuser /dom abc where in this instance abc is the username ,in the command prompt it is listed that the password expires on some date.

when we check the user account abc in the dc , the password never expires tab in the properties of the particular user account is not greyed out

We are sure that this group is having the particular password policy implemented and found working too.But why in the command prompt it is listed that the password expires?

Please help me in getting the facts.

Regards

S.Swaminathan

Thanks & Regards S.Swaminathan Live & let others live!!!

Search

Steps to Add an Attribute to the RODC Filtered Attribute Set

July 31, 2012, 8:58 pm
$
0
0

Hello,

This article

http://technet.microsoft.com/en-us/library/cc772331(WS.10).aspx

discusses modification of the searchFlags value of the attribute that you want to add to the RODC filtered attribute set.
The article says that setting the 10th bit and the 7th bit is what is required.

Can someone confirm that these bits (and the associated values mentioned in the article) are correct ?

Thanks.

 

Accounts getting locked out before number of failed attemps

January 17, 2013, 8:56 am
$
0
0

Hello all

Our Domain policy for account lockouts is set to the below settings. Our AD environment is running in at 2003 native for the DFL and FFL. AD is spread accross two seperate physical sites, each AD site has 2 local DC\GC. All DC's are running 2008 R2 sp1. What we are noticing is a user will get locked out after only 1 or 2 bad password attemps. I also noticed that the DC's that are locking the accounts out are located in a remote AD site from the clients workstation. The DC's that are showing the accounts being locked out are running all the FSMO role.  What could be causing this to happen?

PolicySetting
Account lockout duration15 minutes
Account lockout threshold5 invalid logon attempts
Reset account lockout counter  after15 minutes

Bulls on Parade

What is the expected behavior for replication connections options 0x40 vs 0x41?

December 15, 2012, 6:17 am
$
0
0

I have read a lot about repairing replication connections with ADSI Edit and Sites and Services, many which mention creating connections with option 64(0x40) and 65(0x41) for a RODC connection. Scouring the net I have had trouble deciphering the difference and finding out what specifically occurs with each option. I understand that option 64(Ox40) is RODC_TOPOLOGY and would be correct for a Read Only DC, but what about 64(0x41).

Does anyone know the difference between the 2 options and what is the expected behavior for each?

Thanks in advance!

Windows 2008 R2 Hyper-V Server uses "Local CMOS Clock" instead of domain time - no local Site-DC available!

January 10, 2013, 7:19 am
$
0
0

We have a few Sites but on the very small Sites we dont have an own DC.

On the most other sites, we have a DC and the Hyper-V Server is syncing it's Clock with the virtual DC running on itself (VMICTime disabled) and the DC correctly syncs its time with the PDC running on the Main-Site.

There are however 3 smaller Sites where we havnt seen an urge to install an local Site-DC. So these Hyper-V Servers only contain Standard-Domain-Member Servers.

THe Hyper-V itself also is an Domain-Member.

----

---

Problem: 

The Hyper-V Server only uses (visible with   w32tm /query /status)  the "Local CMOS Clock" or "Free-running System Clock"

There is only ONE WAY to get him sync with the DC  which is in a different subnet and that is with  

#  net stop w32time

#  net time \\servername /set /y

#  net start w32time

With that the Clock is  "in Sync" with the PDC, but    "w32tm /query /status"  still gives "Local CMOS Clock"

Of Course, after a few minutes, the Clock is out of sync again because it does'nt keep synching

-

-

i Tried:

Enter Registry Keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Parameters

-> NTPServer (pdc.domain.local)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider

-> Enable (0)

w32tm /config /computer:pdc.domain.local  /syncfromflags:DOMHIER

w32tm /resync 

Gives Error: "No timedata available"  which is understandable because "w32tm /query /status"  shows it's still using the Local CMOS Clock/Free-running System Clock.

w32tm /stripchart /computer:zwiendc /samples:1000 /dataonly

Shows me the correct, actual difference between the HyperV and the PDC (so the NTP  connection IS working, nothing blocked by any Firewall)

iam a little out of Ideas here.



Creating a failover cluseter: "cannot reach a writable domain controller" Why?

January 16, 2013, 11:46 pm
$
0
0

Hi I am creating a failover cluster and in the test all things passed just this fails:

Validate active directory configuration

Node(s) xxx.y.z cannot reach a writable
domain controller. Please check connectivity of these nodes to the domain
controllers.

I don't know what is exactly going on, first  I just performed the tests!

What to do?

Thanks in advance

GPO MSI deployment nightmare

January 17, 2013, 10:04 am
$
0
0

I had an old GPO that was deploying Java 7 update 9 at a few clients. There was NO check in the "Uninstall when it falls out of the scope..." for the original GPO.

Recently, I created a new GPO pushing the new Java 7 update 11. I just deleted the old GPO but now I'm having problems with the new Java version (getting installation failed). Any ideas why the new Java won't install (even when run directly from the MSI - no GPO involved)?

The new GPO is firing, BTW, it's just not installing. Also the old version seems to be corrupted now...[sigh]

MIgration issue from SBS 2011 to Server 2012

January 17, 2013, 5:08 am
$
0
0

I have migrated from SBS 2011 to Server 2012 , assumed al FSMO roles and most things seem to be wokring.

MY pproblem is qhwn I create new users they go to the wrong OU by default.

How can I change this? The new OU has the new group policies and permissions I want to use...

David Sheetz MCP

Search

Domain Controllers not creating crash dump files

January 16, 2013, 6:22 pm
$
0
0

Hi Everyone,

We are running Windows 2008 R2 domain controllers in with forest level also as Windows 2008 R2. We have 70+ domain controllers. Most of then are virtual running on VMware. Only the main data centers having exchange have physical domain controllers. This infrastructure is a upgraded one from Windows 2003. 

From last 2 months many virtual domain controllers are facing unexpected reboots. There is no fixed DC or a pattern. We have configured Kernel Crash dump files to be generated but the crash dump files is not getting generated on any one of them.

The virtual Domain controllers have 2.5 GB RAM and Page file also as 2.5 GB. Even if I increase the Page file size issue is the same.

I used Notmyfault.exe tool from SysInternals to check whether a manual trigger generates a dump file. To my surprise the dump file was created successfully. I even tried different option in NotMyFault like IRP, Deadlock etc and in all occasions the dump file generated successfully.

We need to find the reason why our domain controllers are getting rebooted. Any help is much appreciated.

Regards,
ABHI


UDP 389 LDAP did not respond ???

January 15, 2013, 6:32 pm
$
0
0

Hi All,

I've three Windows 2008 domain controllers. Using portqry to test LDAP connectivity it responds to TCP but not UDPtest in domain controller , no firewall.  I restart ADDS and retest UDP 389 are the same error .

Test returns the results are as follows:

 Starting portqry.exe -n computerIP -e 389 -p UDP ...

Querying target system called:

computerIP

Attempting to resolve IP address to a name...

IP address resolved to computerIP

querying...

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port

Sending LDAP query to UDP port 389...

LDAP query to port 389 failed

Server did not respond to LDAP query

portqry.exe -n computerIP -e 389 -p UDP exits with return code 0x00000001.

isoft

Migrating Server 2008 Domain Controllers to Server 2012

January 18, 2013, 12:16 am
$
0
0

please provide us with steps to migrate server 2008 domain controller to server 2012.

scienrio:..

i have a domain in server 2008 and another domain in server 2012, i want all the objects to migrate server 2012 domain. Please provie us the steps for the same.

Can a normal user be able to create a group in AD ?

January 18, 2013, 5:41 am
$
0
0

Hi ppl,

I would like to know if a normal user, say "test" with no administrative privileges, can create a group in active directory. 

If so, why is he allowed to create a group though he doesn't have admin privileges?

Anand Kumar D

This posting is provided "AS IS" with no warranties, and confers no rights.

Unlock sign in account

January 15, 2013, 2:22 pm
$
0
0

Hello.

I would like to know if I can simply go into my account without providing a password.  Is this possible?

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>