Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

hi all,

TIA

background
Server 2016, DC, only server in the network

Firewalls both local to server and network firewall both have UDP 123 allowed out and in.

I am unable to get the server to change from Local CMOS clock to NTP server on the internet. Result: all devices are 5 minutes behing real time.

how do I fix?

Thanks
Gareth
0
The Ultimate Tool Kit for Technolgy Solution Provi
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

How to export the members of a global security group in active directory such as VPN Users.  When I tried to export the list I got a list of all the global groups and not the members of the VPN users group.
0
I need a PS script that will read an list (1000+) user accounts and retrieve any groups that starts with "gis" including the output of the username and UPN.  I would like the output with the username, UPN and only the group name that starts with "gis".
0
Hello Experts,
I'm currently planning out my AD CS design where the standalone Root CA will be offline and off the domain, and will have 2 Issuing CA's that will remain online. One of my questions is what is the most cost effective way to create the root CA? Buying a physical server for the root CA is a bit pricey for something that will not be in use for most of the time. Should i create a VM for the root CA or would a desktop PC be a better option? Also, is it recommended to power on the root CA on a monthly bases to verify it is running correctly and to run monthly security patches on it? I appreciate any feedback.
Thanks!
0
I have a group of admins who didn't need to be Domain Admins. I removed them from the group and delegated permissions as needed. They have Edits settings, delete, modify security permissions to GPOs and can backup a GPO via the GPMC, but they cannot restore the GPO. Does anyone know the rights I need to grant and to what container to allow them to restore GPOs? Thanks.
0
i am looking to pull all employess name name .

for this i need to create CSV file that includes two fields:  Employee Name and AD user name for all employees.  

any command shell you can recommend.
0
Looking to set up "Honey token" or Trip Wire" in Windows PCs and servers.

I have read that you can use /NetOnly to dump fake username/passwords into Lsass.

How can I do this across the domain silently?
0
Dear Experts, we have Exchange server 2016 on Server 2012R2. Can we using Exchange Management Shell to forward emails from a user's mailbox to another's ?

How can we do it? Many thanks!

For example: user1@ABC.com's inbox have some emails from customer@XYZ.com, we got a request to forward all emails from customer@XYZ.com in user1's mailbox to Boss@ABC.com?
0
While auditing Active Directory user accounts, we discovered that outside staff who use either Firefox or Chrome to access our public facing SharePoint 2013 site don’t have accurate LastLogonDate time stamps. Staff who use IE11 or Edge have accurate LastLogonDate time stamps.

After authenticating (Claims/NTLM), all users (IE11, Edge, Firefox, and Chrome) can access SharePoint pages just the same.

Is there a setting within SharePoint (or IIS) that will force Firefox and Chrome to update the AD attribute of LastLogonDate?
  Or
Are there SharePoint (or IIS) logs that can be efficiently audited to obtain the same information?
0
Change Date and Time Format in GPO  -Windows Server 2016

Hi Experts,

Having a customer request to change the date format from M/d/yyyy to d/M/yyyy

i push it through GPO at user preference/ regional settings, but somehow i realize that the GPO didnt replicate over to other members AD.

due to this, i test in my own test lab, somehow, the result is same, it also cant replicate the date format to other AD as well.

thus, i try to manually change the GPO at other AD, from M/d/yyyy to d/M/yyyy, but when i click OK, i open back the setting, it back to default, which is M/d/yyyy

any ideas?

the ultimate goal is want to change the RDP server due to the application restriction, i had tried to manually change the date format to d/M/yyyy, but the RDP users which remoting in, the date format somehow is still M/d/yyyy...

which is pulling my hair off..
0
Making Bulk Changes to Active Directory
LVL 8
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

We have three brand new Windows 10 Pro 1803 machines that won't connect to the local domain. We haven't changed anything recently as far as configuration. The DNS on the machines are set to the domain controller ip, we can ping the DC name, we don't have any software installed yet, firewalls are all turned off, and I have run a DCDiag on the server.
The results of the DCDiag were all "Passed".  I have tried entering the short name and the DNS name of the domain.

I did see an article that gave some command lines to use:
First command from work station on the domain djoin /provision /domain "YourDomainName" /machine "YourNewMachineName" /savefile YourNewMachineNameblob.txt
Run on new machine trying to join the domain djoin /requestODJ /loadfile YourNewMachineNameblob.txt /windowspath %systemroot% /localos

When we run the command it says the domain is not available or does not exist. Basically it can't see it. For all the basic tests that I know to do, the workstation can see the server, ping the server, see the shares, see the SysVol share but won't join.

Any thoughts?
0
Need assistance with Azure AD and Windows 10 login/access.  Also some insight into Cached Logons.

We have a group of Windows 10 computers that are offsite 90+% of the time.  These devices get passed from user to user almost every day.  I am trying to find a way for the users to get authenticated by Azure AD if our local domain is not available.  Right now we have the cached credentials so we have some users that use them are able to work on them fine but others are not able to.  Is there a way to setup a Hybrid AD and configure the Windows 10 devices in a way to make this work?  I have Azure AD configured and Azure AD Connect running but do not know how to get the Windows 10 devices to look at Azure if local DC is not available.

I have upped the Cached Logons from 10 to 50 but  I am unable to determine if that is the number of logins to the device or the number of users.  This would possibly fix my solution if it is users because we have less than 50 that use these devices.

Regrettably this has become a pressing matter because the devices are set to go offsite again and trying to find a solution in the next couple of days before they leave.

Any assistance with this is greatly appreciated.  Thank you!
0
I need to do a check some Registry & Files across the entire AD domain for these checks:

Output:
If the computer does not have the file or reg then output "%Computer%-NoReg"  | "%Computer%-NoFile" into a "MissingCBDefense.txt"
If the computer does have the both then output "%Computer%" into a "HasCBDefense.txt"
HKEY_LOCAL_MACHINE\SOFTWARE\CbDefense
c:\Program Files\Confer\RepUx.exe

If the computer does not have the file or reg then output "%Computer%" into a "NoSymantec.txt"
If the computer does have the file or reg then output "%Computer%-HasReg"  | "%Computer%-HasFile" into a "HasSymantec.txt"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe

Note: I do have a lot of Computer Objects that no exist, therefore the script may have to skip those objects that don't really exist or reach.

Thanks in advance.
0
In group policy, does a WMI filter have any effect on a policy which is enforced?
Case in point – a folder redirection policy with several other items in it, would not work (for some reason) unless enforced.
Once enforced it worked perfectly but we wanted it to work only on machines with a client OS (type=1) so we added the WMI filter.
The syntax of the filter is correct – should it work on that enforced policy?

Many thanks

PS I am aware that there are probably far better ways to achieve what we have done but we cannot implement anything different at the moment. Therefore, the answer I am looking for is really just regarding the effect of a WMI filter on an enforced policy – thank you
0
Dear,

What can be the reasons to the below error? The Win 2008 server was newly set up. I go to set up one role (for a domain) and then have got this. Why?
0
I need to raise the functional levels of our Domain and Forest to Windows Server 2012

I have 2 Windows 2012 Domain Controllers, DC01 & DC02, running on VMWare  (Both are not R2)

The Domain and Forest Functional Level are currently at Windows Server 2003 (reason unknown)

Questions:
1. What tools should I use to check for problems before the upgrade?
2. I have verified that AD replication is healthy using repadmin/replsummary .  Do I need to perform the upgrade on both DC's or does the upgrade replicate?
3. We use Veeam backup. What would be the best practice to reverse the process in case something goes wrong?
4. I have read that this is not a disruptive procedure and can be performed during a workday. Is this true?
0
Looking to decommission an old Read Only DC.  Looks like the server may have been used as a LDAP server.  Can someone provide a way to see if there is anything pointing to this RODC for LDAP
0
HELP!  I lost my domain after I decomissioned my 2008 r2 server.  I lost all the roles and I can't even access AD.  When I try to use metadata cleanup I get the following:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ntdsutil:metadata cleanup
The filename, directory name, or volume label syntax is incorrect.

C:\Windows\system32>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server kkdc02.local
Binding to kkdc02.local ...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections: set creds kk.local administrator kkcp@$
server connections: connect to server kkdc02.local
Binding to kkdc02.local as kk.local\administrator...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections:

When I try to sieze the roles I get:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: kkdc02
Error parsing Input - Invalid Syntax.
server connections: kkdc02.local
Error parsing Input - Invalid Syntax.
server connections: connect to kkdc02.local
Error parsing Input - Invalid Syntax.
server connections: connect to server kkdc02.local
Binding to kkdc02.local ...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections:
0
We have a windows 2012 R2 AD with DFL 2008. The sysvol is still replicating using FRS.
Can I raise the Windows functional level to 2012 while FRS replicating the sysvol?
What is the prerequisite for raising the DFL to 2012?
I would appreciate your suggestions.
0
Powerful Yet Easy-to-Use Network Monitoring
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Hi
I wanted  to join Windows 7 PCs to the domain and I get this error.
An active directory Domain Controller (AD DC) for the domain Domain.Local could not be contacted. Ensure that the domain name is typed correctly. If I click the details I Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.see the below error:


DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "Domain.Local":

The query was for the SRV record for _ldap._tcp.dc._msdcs.Domain.Local

The following domain controllers were identified by the query:
adc-001.domain.local
adc-002.domain.local
adc-003.domain.local

However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

Not sure if my colleagues had made any changes on the DNS. Please see the attached dcdiag.txt.
My PC is connected to the same network and subnet, I am able to ping all the three DCS.
When I ping from the workstations that needs connected to domain, I am not able to ping ADC-001 and ADC-002 , but able to ping …
0
some users are not getting their default printer option.
From the GPO side… Currently all printers are in the ‘Citrix XenDesktop Mapped Drives and Application Shortcuts Policy’
If group policy is configured to assign printers it will, regardless of what the Citrix policy is configured to do.  Citrix Policies are processed before AD Group policy, if there is a conflict I would expect AD Group Policy to process it’s setting based on it running last.

IS IT CORRECT?
0
hi all,

background.

Main Office
Windows Server 2016, DC, DNS, DHCP.

Branch
Windows Server 2016, DC, DNS, DHCP

Both Servers use Distributed File System

Branch server has been switched off for around 6 months as the team only deploys in the summer.

branch server was switched back on on Friday, VPN from Branch to Main Office is working fine. Connectivity for DNS and file browsing is working.

AD and DFS will not update at Branch.

Namespace error, cannot connect: "\\domain.local\namespace: Delegation information for the namespace cannot be queried. The specified domain either does not exist or cannot be contacted.

In Replication Topology test, the Branch server reports all ok.

When replication is forced from Main Office server, error: The member BranchServer could not be contacted to get current schedule status. The error returned was :The DFS Replication WMI connection or synchronization object was not found."

When replication forced from Branch server: The member MainOfficeServer could not be contacted to get current schedule status: the etror was "The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)"

any help greatly appreciated

TIA
Gareth
0
Bit Locker - Domain Controller

Is it possible to link this to active directory.
So that if a User activates Bit Locker - the password appears in AD - to ensure access if User forgets.

Also how does this work - if a User already has Bit Locker activated on their device.
And finally - is it possible to have this for a selected group - ie. there are some Users who have other encryption products on their devices whom we dont want to touch.
0
Hi folks,

I've inherited an environment where the Member Servers and Domain Controllers have AD Security Groups added to Local Administrator Security Group.

These AD Security Groups are nested, up to 4-5 levels, and it is becoming increasingly difficult to determine which users has what level of privileges.

There are various PowerShell scripts out there; I've tried 3-4 of them, but they don't get me the nested reports. And then there are paid tools.

Wanted to check here if someone has something that worked out well!

Thanks, much appreciated.
0
Dear Experts

in the Windows Active Directory domain controller environment joining the windows client to the domain controller by assigning the IP address and preferred DNS pointing to Windows AD server (which functions as domain controller and also name server).
 Joining the windows client does not require manually creating the entries in the forward and reverse zones, the moment windows client device is joined the records are automatically created in the DNS server.   Now how to make Linux servers in the network to use windows AD server as its  DNS server,  should we have to manually create forward zone and reverse zone entries and then configure Linux server to use windows AD server as its DNS server, please suggest .
0

Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software