Hi ppl,
I am a newbie and have been creating, exploring and deleting objects in AD via ADUC. Is there a different way without using ADUC to do these operations ?
Anand Kumar D
This posting is provided "AS IS" with no warranties, and confers no rights.
Hello,
I could use a little help with a slight problem. I have 6 Server 2003 domain controllers and sites set up. Five of the sites are using the local controller to process the logon requests. I have one site that when a user logs on, it bounces to any other domain controller except for the local domain controller. This is also the pdc and a gc. I double checked all entries in DNS and all appear to be correct.
Any ideas of diagnostics, logs or other settings that I can check to get this resolved?
Thanks in advance for any input.
Hi ppl,
I see that only administrator users are allowed access to ADUC. And more deeply, I found out from my threads that Backup Operators are also allowed permissions to access ADUC. So, I guess there is a list of users or groups that can have access to ADUC. Where is this list and how is it possible to edit this list ?
Anand Kumar D
This posting is provided "AS IS" with no warranties, and confers no rights.
We are running 2 Windows 2008 R2 DCs in our network (for the sake of this our domain is corp.foobar.com). We then run a query for www.google.com. When we look at our DNS debug logs we see queries for
www.google.com.corp.foobar.com
www.google.com.foobar.com
www.google.com
We see queries to our 2 internal DCs/DNS servers and then the queries go out to the Internet for resolution. I understand why this is happening. What I need help figuring out is how to keep the queries for "www.google.com.corp.foobar.com" and "www.google.com.foobar.com" from ever going out of our network. What I would like to do is set up some type of rules that says anything that goes to "corp.foobar.com" or "foobar.com" only goes to the internal DNS servers (and then never goes to the root hints) and everything else goes to our ISPs DNS servers.
Any help/explanation would be greatly appreciated.
Thanks.
I have a single domain Server 2003 forest with two domain controllers. One of my DCs, which happened to hold all the FSMO roles, died earlier this week. I seized the FMSO roles on the remaining DC and cleaned up metadata referring to the dead DC. Now, I want to promote one of my member servers to be a DC but I'm running into a problem.
Each time I run dcpromo, I get through the wizard questions where it asks for the admin credentials and a password to assign to the directory services restore mode admin account, then it throws up the following error and reboots the server:
"The wizard is unable to determine the status of the Active Directory service on this computer"
I've analyzed the dcpromoui.log and compared it to the same log on remaining good DC (from when it was promoted years ago), and everything looks nearly identical until it gets to this point:
Enter DoubleCheckRoleChangeState
Enter EvaluateRoleChangeState
Enter MyDsRoleGetPrimaryDomainInformation
Enter MyDsRoleGetPrimaryDomainInformationHelper
Calling DsRoleGetPrimaryDomainInformation
lpServer : (null)
InfoLevel : 0x3 (DsRoleOperationState)
HRESULT = 0x800706BA
Exception caught
catch completed
handling exception
On the good DC, the same "DsRoleOperationState" check came up with this result:
Enter DoubleCheckRoleChangeState
Enter EvaluateRoleChangeState
Enter MyDsRoleGetPrimaryDomainInformation
Enter MyDsRoleGetPrimaryDomainInformationHelper
Calling DsRoleGetPrimaryDomainInformation
lpServer : (null)
InfoLevel : 0x3 (DsRoleOperationState)
HRESULT = 0x00000000
OperationState : 0x0
Of course, on the problem server the log ends shortly after that exception, while on the good DC the log shows that it ran through a number of additional checks and successfully promoted the server.
Any suggestions? FWIW, the member server was configured to use the good DC, which is also an AD-Integrated DNS server, as its primary DNS server. I have since configured the server to be a DNS server with a secondary DNS zone and have the server configured to use itself for DNS, but of course dcpromo still fails.
Good morning,
I want to remove a child domain in windows server 2003 in order to raise the forest functional level from windows 2000 native to windows 2003 to create an interforest trust. Using the ntdsutil processhttp://support.microsoft.com/kb/230306/EN-US, i receive this error message :
i tried this solution : http://trinityhome.org/Home/index.php?wpid=121& , i could find neither the server nor computer accounts in this domain. when i put a computer on it, it gives me: "this domain ... doesn't exist "; I tried to recreate a child domain with the same name, an error message told me that this domain is already exist. I verified all computer names in the parent domain even if this domain doesn't exist for us. I permanently receive this error .
Does someone can help me please or give me suggestions? i think that i'll find an answer today on this forum , i'm waiting for.....
Thank you.
How Do I Disable Adaptive Menus in Office at the AD Level?
I know that I can do this in the registry with the following information:
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\Toolbars]What I would like to be able to do is to apply it at the AD level, through Computer Configuration OR User Configuration > Preferences > Windows Settings > Registry but the registry key for Microsoft\Office does not exist on the AD server. Thoughts?
Hello, and thanks for your assistance in advance. I have setup a windows 2008R2 server and am trying to implement it into an existing windows 2003 domain. As per my understanding, the first step is to make it an Active Directory domain controller. So I run the dcpromo wizard. That wizard fails with the following - "To install a domain controller into this active directory forest, you must first prepare the forest using adprep /forestprep. So I goto the utility located on the install CD, and run adprep /forestprep as admin. Get the following error: Adprep cannot run on this platform because it is not an active directory domain controller.
So it seems I have circular errors. Again, any suggestions greatly appreciated. I am not an AD expert.
Thanks.
After spending all day reading umpteenth threads on RPC connectivity issues, I'm kind of running out of ideas. It seems like the old DC can make the RPC connection to the new DC, but a variety of things just kick back what essentially equates to "Access Denied". When I attempt to access the network share from the old DC to the new DC, all I get is:
bmusjaxdc01 is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
The network name cannot be found.
I've disabled all the firewalls on the 2012 Server (domain, private and public), but it seems like something (group policy?) on the new DC is preventing specific connections, hence the variety of errors. Any ideas would be appreciated.
Is it possible to use "dcpromo /adv" install from media option of a Windows 2003 Domain Controller on a new Windows 2008 computer? I have the System Backup backup available from the Windows 2003 server.
However, the 2003 domain controller is *DEAD* and I can not verify credentials of that domain.
Is it possible to install a new replica domain controller from the backup media and get the domain back up and functioning?
Many thanks.
We have a remote server running 2008 R2 standard that has been connected to an existing domain running at the 2003 functional level
on doing a DCDiag /test:dns the 2 2003 servers report everything is ok, however the 2008 server reports a problem - it cannot find the domain GUID. a bit of digging reveals it finds the first Domain GUID, which happens to be the correct one according to the other 2 servers. The one its looking for is different and is only reported as missing on the 2008 server.
the report looks like this -
Missing SRV record at DNS server 192.168.21.250:
_ldap._tcp.d952a97b-b6fc-4e87-b88e-7e61026aefc6.domains._msdcs.DOMAIN.local
Error:
Missing SRV record at DNS server 192.168.2.4:
_ldap._tcp.d952a97b-b6fc-4e87-b88e-7e61026aefc6.domains._msdcs.DOMAIN.local
the *.21 network is the home network. the *.2 network is the remote network with the server.
the dcdiag tests on the other 2 servers do not report this. Under the _msdcs.domains object in DNS there is one GUID, and the reported missing one is not it.
So is this a problem? it does not appear to be affecting functionality of the domain, but we do see some strange logs from netlogon sometimes, which is how we found it.
and can it be corrected?
Guys,
Is MaxConcurrentAPI will be the resolution of NETLOGON error found at Domain Contoller - increasing and adding this to Windows Registry domain controller to resolved the issue of Client Authentication Issue?
Any other ideas, suggestions would be a great help...
Thanks and Regards,
Hi ppl,
I would like to create 3 different groups for 3 different operations. The 3 operations are listed below. Please suggest the scope of the 3 groups to be created and the reasons to choose those scopes.
Anand Kumar D
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Hello DS Experts!
I have got one forest with one child domain (forest:xyz.com and child is abc.xyz.com) which has 2003R2.
I have ran adprep32.exe /forestprep and adprep32.exe /Domainprep /Gpprep on xyz.com.
So now question is - do i still needs to run the adprep32.exe /Domainprep /Gpprep on abc.xyz.com ?
While running what permission do i needed to run the (adprep32.exe /Domainprep /Gpprep) on abc.xyz.com, because I have one account in root domain using which i have ran forestprep and domainprep in the Root Doamin, but when i ran it in Child domain - it
says you need to be part of Domain Admin of abc.Xyz.com,
When i try my Account (which is part of SchemaAdmin,DomainAdmin, EnterpriseAdmin for the root domain) making a member of Child Domain Domain Admin, it wont allow me.
Any Help would be appriciated
Thnaks,
Kumar
Know more about Messaging :-)
Hi All, looking for a little help here...
Here is the scenario. My (new) client has ONLY 1 domain controller (Windows Server 2003 which I will call SERVER1). I recently installed a new 2008 R2 server and made it a replica domain controller. Everything went well until I realised that there was no SYSVOL share on the new server. I checked FRS event logs on SERVER1 and noticed that event ID errors 13552 & 13555 have been occuring since December 2010.
I've been reading about changing burflags to do a nonauthorative restore from a replica DC however in this case there is only 1 DC. Can someone advise how I go about fixing this?
------------------------------------------------------------------------------
Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13552
Date: 21/06/2011
Time: 2:15:57 PM
User: N/A
Computer: SERVER1
Description:
The File Replication Service is unable to add this computer to the following replica set:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
This could be caused by a number of problems such as:
-- an invalid root path,
-- a missing directory,
-- a missing disk volume,
-- a file system on the volume that does not support NTFS 5.0
The information below may help to resolve the problem:
Computer DNS name is "server1.mydomain.local"
Replica set member name is "SERVER1"
Replica set root path is "c:\windows\sysvol\domain"
Replica staging directory path is "c:\windows\sysvol\staging\domain"
Replica working directory path is "c:\windows\ntfrs\jet"
Windows error status code is
FRS error status code is FrsErrorMismatchedJournalId
------------------------------------------------------------------------------
Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13555
Date: 21/06/2011
Time: 2:15:57 PM
User: N/A
Computer: SERVER1
Description:
The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed:
------------------------------------------------------------------------------
Dear All,
we implemented GPO for Account lockout policy in our domain with the below setting.
Setting details.
Account lockout threshold : 3 invalid logon attempts
Account lockout duration: 0
Reset account lockout after : 5 mints
We have 70 users with 5 Group, but some users account are getting lockout with out attempts
Event Log details.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/27/2012 10:15:03 AM
Event ID: 4625
Task Category: Account Lockout
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XXXXXXXXXXXXXXXX
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: XXXXXXX
Account Domain:
Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: XXXXXXXXXXXX
Source Network Address: XXXXXXXXXXXX
Source Port: XXXXXX
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-07-27T09:15:03.151737000Z" />
<EventRecordID>3211925</EventRecordID>
<Correlation />
<Execution ProcessID="480" ThreadID="5160" />
<Channel>Security</Channel>
<Computer>XXXXXXXXXXXX</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">XXXXXXX</Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">XXXXX_XXXXX</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">XX.XXXX.XXXX</Data>
<Data Name="IpPort">57779</Data>
</EventData>
</Event>
i want to know where is the error , why its getting lockout for some users ?
Thanks,
Srinivasan.B