[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi,

Have a 2008 Domain controller and a member 2008 server.

When trying to promote the member 2008 server via DCPROMO, it gets to the point examining active directory forest and then a message you will not be able to install a writable replica domain controller because the RID master oldservername is offline do you want continue ? (The Oldservername no longer exists on the LAN. )
It then examines DNS configuration - comes back with
You cannot install a read-only domain controller at this time. You must first run "adprep /rodcprep" from a command window on any computer in this forest. The Adprep utility is available on the Windows Server 2008 R2 installation media in the \support\adprep folder.

Clicking next reveals "you cannot install an additional domain controller at this time because the RID master Oldservername is offline."

What is safest way please to remove the ghost oldserver from the domain ?

thank you
0
Big Business Goals? Which KPIs Will Help You
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

is there any method to get a list of AD users who are using weak passwords for windows 2012R2 domain.
0
I’m seeing a small but strange issue in an environment that has Okta, on prem AD, Azure AD and O365.  

There are users in Azure/O365 with usernames using the federated domain.com, however I do not see them in on prem AD. They are classified as “in-cloud”.
So how come if I try and create another user in Azure or O365, I cannot specify the same domain.com in its username since I get an error that the domain is federated?
0
I need an experts opinion on installing anti-virus on domain controllers.  Would you recommend to install antivirus on DCs if so do we have to exclude any folders?
I took over the AD admin and noticed the users log on take a while. The network has all new DCs with plenty of memory. I seen the GPs part loading for long time.
Can that be with antivirus and need to be excluded some folders?
0
My Tomcat web application logs are telling me the user1 isn't in the specified mapped LDAP role/group coming from AD. I believe my issues lie with the JNDI Realm definition. Can someone review it please and see where I may be going wrong, I've included the DN information from AD as well:

My user1 account DN is

DistinguishedName : CN=user1,OU=Users,OU=Lab,DC=example,DC=com

Open in new window


The role/group Users I have specified in the web.xml config is

DistinguishedName : CN=Users,CN=Builtin,DC=example,DC=com

Open in new window


My Realm configuration is

<Realm
   className="org.apache.catalina.realm.JNDIRealm"
   debug="99"
   connectionURL="ldap://example.com:389"
   authentication="simple"
   referrals="follow"
   connectionName="cn=administrator,cn=users,dc=example,dc=com"
   connectionPassword="##########"
   userSearch="(sAMAccountName={0})"
   userBase="cn=users,dc=example,dc=com"
   userSubtree="true"
   userRoleName="memberOf"
   roleSearch="(member={0})"
   roleName="cn"
   roleSubtree="true"
   roleBase="cn=users,cn=builtin,dc=example,dc=com"/>

Open in new window

0
i have a distribution group called sales group and another distribution group called marketing.

under sales mail universal distribution group we have- sales@domain.com
 under marketing universal distribution group we have marketing @domain.com and marketing1 @domain.com

can we add the marketing email addresses both of them under sales distribution group

i dont want to remove marketing email addresses under marketing group.

we have on premise AD and is synced through AAD sync to office 365 as these distribution groups are in office 365 portal.

i tried to add in office 365 directly but it threw error saying these email addresses already exist.
0
Looking for some input from those of you who have demoted 2008r2 dc servers (also DNS, GC, WINS) from AD and promoted 2016 (though 2012r2 might also be okay) DC (also DNS and GC, WINS) into AD. I will be running all the dcdiag diagnostics, repladmin, etc. utilities to verify everything worked, but was wondering if anyone has any good Event Log ID's that I ought to look for on any/all of the steps to accomplish task noted above. So Event ID's that either show common errors or those that indicate success. Again always appreciated in advance. Cheers :-)
0
I'm using manage-bde.exe to allow some power user to encrypt their USB Stick.
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.
The users don't have admin privlege on their machines.
I found that changing  WMI privilege manually  (ROOT>CIMV2>Security>MicrofostVolumeEncryption) and adding manually the specif account and giving him  "execute method" privilege allow the user to run the encryption without possessing admin rights.

I'm trying to create a script that I'm going to push via GPO to apply the needed changes.
I tried using this method  without success.
I can dump the privlege. Applying them give no errors but no changes are done.
Both operations are done with local admin account.
Thanks.
0
I need to query ad and extract users by display name  and sammaccount and show howmany smtp addresses they have under their account
0
For some reason I cannot create a container with LDP.EXE
I connect and bind with admin rights to the root of the domain. This goes well.

Then I right click on the container where I wan't to create the new container. I select "Add Child".
In the new window I add the following attributes:
DN: CN=CUSTOMERXX-BIND,CN=ProxyUsers,DC=SUB,DC=DOMAIN,DC=DK
objectClass: userProxy
ObjectSid: S-12-xxxxxxxxxx

Then I click Run and in the results pane I get the following message:
***Calling Add...
ldap_add_s(ld, "CN=CUSTOMERXX-BIND,CN=ProxyUsers,DC=SUB,DC=DOMAIN,DC=DK", [2] attrs)
Added {CN=CUSTOMERXX-BIND,CN=ProxyUsers,DC=SUB,DC=DOMAIN,DC=DK}.

This is good (I think)...

Now, when I look in ADSIEdit I see an object under ProxyUsers with the name CUSTOMERXX-BIND, but not a container.
NoContainer.PNG
Any help is appriciated - this is driving me crazy.
0
Determine the Perfect Price for Your IT Services
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

AD User gets locked out on a regular basis. There are multiple events with the id 4771 "Error kerberos pre-authentication".

Additional information

*No one tries to login in with the user account on the client machine where the error originates from.
*No scheduled tasks which run in the users context.

Please help!

Thank you in advance.
1
Is there a way for users outside of our office where the Citrix servers are located to change their AD password?

When I tested and set the users password to prompt at next login in AD, it required them to change it when they logged on to Citrix.  However, then it takes them to the login screen again and they cannot get in because the AD password did not change.
0
I need to run a PS script that will grab a csv list of users samaccount name and reset the MsEchHideFromAddressList Flag to True
0
I am encountering HTTP Status 404 - Not Found  accessing a http://localhost:8080/sample/ application.
Description: The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

I can only assume it is caused by my Apache Tomcat configuration, because I am yet to get it working. I am running version Apache Tomcat/7.0.91 on Redhat 7 in AWS. I have installed and integrated Winbind and the OS is happily talking to my AD domain example.com. It can see groups and users and I have masked the domain format 'example/user1' so it appears as 'user1'.

I have downloaded and installed sample.war from https://tomcat.apache.org/tomcat-7.0-doc/appdev/sample/ into my tomcat installation /usr/local.tomcat7/webapps/ directory.

My  /usr/local/tomcat7/conf/server.xml configuration looks like this:
<!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
-->
<Realm className="org.apache.catalina.realm.JNDIRealm"
   debug="99"
   connectionURL="ldap://example.com:389"
   authentication="simple"
   referrals="follow"
   connectionName="cn=user1,ou=users,ou=lab,dc=example,dc=com"
   connectionPassword="**********"
   userSearch="(sAMAccountName={0})"
   userBase="dc=example,dc=com"
   userSubtree="true"
   roleSearch="(member={0})"
   roleName="cn"
   roleSubtree="true"
   roleBase="ou=users,ou=lab,dc=example,dc=com"
  />

Open in new window


My /usr/local/tomcat7/webapps/sample/WEB-INF/web.xml file looks like this:


Open in new window

0
i have around 60 to 70 distribution groups in on premise active directory which are synced through AAD sync to Azure AD.

i have been asked to find distribution groups which are stale not being used or sort by very less members to highest members
or find overlapping members in groups.

basically asked to clean the groups.

any idea which i should look what to clean in distribution groups
0
I have an issue with an remote desktop services server. The issue i'm having is with the screen timeout.

We want the user's local computer to have a timeout of 5 minutes for the screen lock. But we want the server they are remoting into to not have a screen lock.  Currenty, the remote desktop session locks after 5 minutes of inactivity. So when the user goes pee they have login to their local PC as well as re-type their password in remote desktop.

Is this because I'm putting the server (computer object)  in an OU and the screen lock settings are user policies so the policy is being passed to the remote desktop session from the local PC because the user account is already logged in on the local PC?

There is a GPO at the domain level that set the screen lock for 5 minutes for all users.
These settings are in "User config > Policies > Admin templates > Control Panel/Personalization"
Enable Screen saver = Enabled
Password protect screen saver = Enabled
Screen saver timeout = Enableed & 300 seconds

I've setup an OU that has a GPO screenlock policy with disabled screen lock and placed the server in it and have disable GPO inheritance on that OU.
Here are the settings for this GPO
 "User config > Policies > Admin templates > Control Panel/Personalization"
Enable Screen saver = Disabled
Password protect screen saver = Disabled
Screen saver timeout = Disabled
0
What are the Microsoft Server 2016 certifications that deal with Active Directory?

I'm especially looking for a certification that emphasizes Active Directory sites and services and replication.
0
I am going to be starting a job where I need to know a lot about setting up AD site replication and using Active Directory Sites and Services.

What are the Best online resources for learning about Server 2016 Active Directory Sites and Services and Active Directory site replication?
0
What is the process to set the order in which Server 2016 domain controllers authenticate Active Directory accounts?
0
Angular Fundamentals
LVL 12
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

What are the processes and group policy settings to change to enable Read-Only Domain Controllers to authenticate domain admin accounts in Server 2016?
0
Please provide me with online references about how to load & use Server 2016 Active Directory PowerShell modules for AD administration, synchronization, troubleshooting, etc.
0
Please provide me with URLs to online references that provide a complete list of Server 2016 Active Directory & Active Directory sync commands from the command prompt & PowerShell.
0
We are rebuilding our entire Active Directory environment. I've seen many posts on the Internet about building the CA server and that it is best practice keep it separate from the Domain Controller. I also believe there is something about building an offline CA, but in terms of keeping things manageable, I'm not sure if this is a must for us. I always have trouble with certificates and building the CA, and its hard to find instructions applicable to our environment, unless perhaps I'm misunderstanding them.

We have a 3rd Party wildcard certificate issued from GoDaddy (used for network devices, etc). I'd like to build a Windows Server 2016 CA on a separate VM than our DC. I also want utilize certificates for LDAPS and the client machines that are joined to our network.

Can someone advise of the steps in order to accomplish this? I've found these notes on building the CA, however it doesnt say anything about using a 3rd party certificate. Or perhaps I dont need a 3rd party certificate for LDAPS and internal machines? https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/
1
HI,
I've always been under the impression that Google Chrome's incognito mode does not remember any of one's activity on the web.

Yet, when I sign on to Gmail, and enter my email address:

1, When I type a few characters, it displays my email address on the next line (scrubbed screenshot below):
Autocomplete

2, It remembers my password.
 password remembered
What would explain this behavior?
Thanks,
Steve
0
Hi Expert,

What could be the best practice for member's AD DNS setting?

Normally at Primary AD, the preferred DNS setting is point to it own IP, secondary IP is point to backup AD or member AD,

should we add in all member's AD IP address's into primary AD's DNS setting?

for member AD, preferred DNS is point to primary AD's ip address?

For my case, i'm having 4 Active Directory

please advise

Thanks
Alfred
0

Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software