Directory Services Forum

Brand New windows 2003 server with AD installation

Mon, 30 Nov 2009 16:30:19 Z

All,

I am trying to ask myself the right questions as i am about to setup a brand new company and want to implement server 2003 with AD.
What I need is to ask my self the right questions for the planning process. For example, what address range am i going to use? What am i going to call my domain? What Raid array to use? IS there going to be only one forest. etc.

Does anyone have a getting started checklist or something similar that I could use to make sure i have covered all topics. I am familiar with server 2003 but have never setup a network from scratch that needs all these services.

Really appreciate any advice. I have been refered to the "Planning an Active Directory Deployment Project" but this does not give me the questions that i need answered.
Regards,

Kevin

Subclassing "User" or "inetOrgPerson" breaks AD Users and Computers tool?

Fri, 27 Nov 2009 18:07:23 Z

I'm busy porting over a non-AD LDAP instance to AD, in the hopes of enabling the use of Exchange in the future while maintaining some compatibility with existing applications. I'm largely successful importing user data, but I've notice one thing that confuses me:

I'm adding a new custom schema, and object class to contain attributes specific to our organization. I'd rather it be a structural object class, since as near as I can tell only a structural object class is allowed to specify a custom rdnAttId (and I want a custom rdn, as using "cn" is an absolute last resort for policy/privacy reasons). Importing the data works fine.

But when I view these programmatically-created users in AD Users and Computers, it only shows them as generic objects. It has no idea how to deal with them.

If I change my class to just an auxiliary class - which forces me back into using 'cn' as rdnAttId - ADUC suddenly knows what it's looking at.

Am I doing something wrong? The whole idea of a subclass is that the subclass IS a member of the parent class. My custom class IS a User, and User is even in the objectclass value list.

Certificate Request for Exchange 2010 and PKI Configure

Mon, 30 Nov 2009 16:35:23 Z

We have PKI and Exchange 2010 servers on Windows Server 2008 R2.

I try to add a new certificate for Client Access. I can prepare request file. But when I go to Certificate Authority Console on PKI server I can not approve this req. file. I don't know PKI very well and want to understand it.
I click Issue Node in Certificate Authority Console and choose Submit New Request but nothing happend.

Furthermore there is no http://pkisrv/certsrv node. I configured PKI by http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx step-by-step guide.

How to resolve the issue with PKI?

xfer schema master fsmo from 2003 to 2008 server

Mon, 30 Nov 2009 15:48:40 Z

Error when trying to register this dll; "regsvr32 schmmgmt.dll " on 2008 dc:

"The module schmmgmt.dll was loaded but the call to dllregisterserver failed with error code 0x80040201.

thanks in advance

Can you rename Windows Server 2008 domain ?

Mon, 31 Mar 2008 17:16:19 Z

Hi there,

I am wondering if its possible to rename a Windows server 2008 domain using Rendom utility. I have tried installing the Rendom utility available for Windows Server 2003 and it fails to install successfully, even if you try to install in the compatibility mode. I didn't find this utility for Windows Server 2008 domain specifically.

I understand the business case for this to be relatively low as Server 2008 is fairly new and wont be in production at most places for a while. My need is around my test lab.

Any help would be appreciated.

Regards,
Rick @ Toyota Motors

Can't clear security log on DC

Fri, 27 Nov 2009 07:59:35 Z

My account is member of Domain Admins, and Enterprise Admins but can't clear security log. How can i clear security log on my DCs. please advise
Thank you.

Thana

Active Directory User to use a second router by default

Mon, 30 Nov 2009 12:02:45 Z

We have a web Server running Windows Server 2003 with Exchange Server,Active Directory,IIS and Terminal Services.
We have 2 routers with 2 different internet connections (both with a different static IP) assigned to local ip's 192.168.1.1 and 192.168.1.2.
The first router holds the DHCP server.
We would like to set an existing user to only use the secondary IP for downloading. It doesnt matter for us if we need to have this user make all his internet activity through the second router or make him use the second one in specific application types. We're concerned about downloads mostly.
The Server also has 2 network cards, in case there is a solution that needs that.
Also the server has IIS that runs about a dozen web sites, all configured with the IP of the 1st router.

Cross-forest trust: What permissions are required to lookup users in the trusted domain?

Fri, 20 Nov 2009 14:16:09 Z

We have a two-way selective authentication trust in which we would like to add users from the other domain to a group in our resource domain. We are challenged for the other domains credentials in order to resolve/lookup the user account in order to add it to our domain group.

What specific permissions are required in the other domain to be able to resolve/lookup users from that domain to prevent the challenge each time?

Thx,

-Scott

Upgrading Windows 2008 Domain to Windows 2008 R2

Mon, 23 Nov 2009 16:30:24 Z

I can't seem to find any docs specific to an AD upgrade from Windows 2008 to Windows 2008 R2. It seems we should be able to run adprep /forestprep and adprep /domainprep and run the R2 upgrades on my current DCs. I've searched TechNet but can't find any docs that focus on my specific instance. Has anyone done what I'm considering?

Orange County District Attorney

Domain Administrator is unable to install Softwares

Fri, 27 Nov 2009 05:13:34 Z

Hi
My domain admin is unable to install software but all Administrator in same OU are working fine. The interesting thing is that its also an Enterprise Administrator. When I click on installers (MSI or other exe) nothing happens. Not a message or event id is generated.

Can some one help me?

Upgrade 2000 domain to 2003 domains fails adprep /forestprep

Sat, 28 Nov 2009 15:29:19 Z

I am trying to uprgrade a win 2000 domain to Win 2003 the adprep fails with this error
LDAP API ldap_add_s() finished, return code is 0x44
And
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=4444c516-f43a-4c12-9c4b-b5c064941d61,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=XXXXX,DC=local.LDAP API ldap_search_s() finished, return code is 0x20

ANy one see this before? Any ideas on the fix
Thanks

administratos - built in group in domain 2003

Thu, 19 Nov 2009 20:51:53 Z

hello

i remove user from administrators built in domain group, and after couple of minutes the user return without that user add him.
i look for GPO that apply on Domain Controllers OU and no definition that can add user to this group, and i dont why this happen

Thanks

Windows Server 2003 Active directory Sizer Tool

Mon, 30 Nov 2009 12:57:50 Z

Hi all,

Does anyone know of a good sizer tool for deploying AD in server 2003.
I know they did one for 2000 server and it looks like a good tool to follow to enable me to successfully plan and implement AD in server 2003.
Any advice or something similar would be a great help. This will be a brand new domain with just one forest. It's probably not that difficult but I am currently studying MCSE this is my 1st major project.

Thanks in advance for any advice or help,

Regards,

Kevin

Hide or remove domain name at logon screen

Sun, 29 Nov 2009 12:34:01 Z

Hey there.

I wanna remove the domain name at the logon screen. (win7 and Vista clients)
Now i have "domain\User account name" and i just want to see a username just as if there a logon on locally.

Wondering if this is possible at all

Second domain controler with W2K3Server 32bits when the primary is W2K3Server X64 ... possible ?

Thu, 19 Nov 2009 16:29:08 Z

I have a Primary Domain controles with Windows 2003 Server 64bits R2.
I want to have a second DC in case the primary one falls. Is it possible ?
I have tried with a virtual machine and is giving a problems win DNS, but everything is ok about it.
Some Idea ?

Active Directory Web Services fails to start

Sat, 28 Nov 2009 04:42:00 Z

We've recently Upgrade a Windows 2003 R2 Domain Controller to Windows Server 2008 R2x64 DC. The installation seemed to go well, except for the Active Directory Web Services have failed to start.   The event log items as below.

Log Name:      System
Source:        Service Control Manager
Date:          11/27/2009 8:34:04 PM
Event ID:      7034
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      bigger.cpu.local
Description:
The Active Directory Web Services service terminated unexpectedly. It has done this 3 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7034</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2009-11-28T04:34:04.644407000Z" />
    <EventRecordID>8688</EventRecordID>
    <Correlation />
    <Execution ProcessID="680" ThreadID="4816" />
    <Channel>System</Channel>
    <Computer>bigger.cpu.local</Computer>
    <Security />
</System>
<EventData>
    <Data Name="param1">Active Directory Web Services</Data>
    <Data Name="param2">3</Data>
</EventData>
</Event>

DC migration problem

Fri, 27 Nov 2009 11:04:27 Z

Hello,

I need to move a DC from one server to another. The original server is W2k3 and also Exchange 2003 server. The destination server is running w2k8 and also an Exchange 2007 server.

On the original server, Exchange 2003 has been removed. There is no way back on it.
Whenever I ty to switch off the original server, the domain goes nuts. Rebooting the destination server ends up with Exchange services stopped and Events relating the the fact that the new server cannot find a DC for the domain. Here are different informations I grabed :

----------------------------------------------
ActiveDirectory_DomainService EventID 2087

Active Directory services could not resolve the DNS hostname for the AD controler. bla bla bla

Source doamin controler :
MyOriginal W2K3 domain controler
Nom de l’hôte DNS en échec :
40027475-dca3-43db-86db-6ac4b3a7576f._msdcs.oxygen-rp.com
----------------------------------------------
MSExchange ADAccess EventId : 2130
Processus SMEX_SystemWatcher.exe (EMS) (PID=2056). Exchange Active Directory did not find an available Active Directory Controler in the domain ...
(rough translation from french)

From this Event I can find tons of errors in concerning Exchange.
----------------------------------------------
DCDIAG /s:NewDC

C:\Users\administrateur.OXYGEN>dcdiag /s:oxymail

Diagnostic du serveur d'annuaire

Exécution de l'installation initiale :
   * Forêt AD identifiée.
   Collecte des informations initiales terminée.

Exécution des tests initiaux nécessaires

   Test du serveur : Asnieres\OXYMAIL
      Démarrage du test : Connectivity
         ......................... Le test Connectivity
          de OXYMAIL a réussi

Exécution des tests principaux

   Test du serveur : Asnieres\OXYMAIL
      Démarrage du test : Advertising
         ......................... Le test Advertising
          de OXYMAIL a réussi
      Démarrage du test : FrsEvent
         Erreurs ou avertissements détectés au cours des dernières 24 heures
         après le partage de SYSVOL. Des problèmes liés à l'échec de la
         réplication SYSVOL peuvent provoquer des problèmes de Stratégie de
         groupe.
         ......................... Le test FrsEvent
          de OXYMAIL a réussi
      Démarrage du test : DFSREvent
         ......................... Le test DFSREvent
          de OXYMAIL a réussi
      Démarrage du test : SysVolCheck
         ......................... Le test SysVolCheck
          de OXYMAIL a réussi
      Démarrage du test : KccEvent
         ......................... Le test KccEvent
          de OXYMAIL a réussi
      Démarrage du test : KnowsOfRoleHolders
         ......................... Le test KnowsOfRoleHolders
          de OXYMAIL a réussi
      Démarrage du test : MachineAccount
         ......................... Le test MachineAccount
          de OXYMAIL a réussi
      Démarrage du test : NCSecDesc
         L'erreur AUTORITE NT\ENTERPRISE DOMAIN CONTROLLERS n'a pas
            Replicating Directory Changes In Filtered Set
         de droits d'accès pour le contexte de nommage :
         DC=ForestDnsZones,DC=oxygen-rp,DC=com
         L'erreur AUTORITE NT\ENTERPRISE DOMAIN CONTROLLERS n'a pas
            Replicating Directory Changes In Filtered Set
         de droits d'accès pour le contexte de nommage :
         DC=DomainDnsZones,DC=oxygen-rp,DC=com
         ......................... Le test NCSecDesc
          de OXYMAIL a échoué
      Démarrage du test : NetLogons
         ......................... Le test NetLogons
          de OXYMAIL a réussi
      Démarrage du test : ObjectsReplicated
         ......................... Le test ObjectsReplicated
          de OXYMAIL a réussi
      Démarrage du test : Replications
         ......................... Le test Replications
          de OXYMAIL a réussi
      Démarrage du test : RidManager
         ......................... Le test RidManager
          de OXYMAIL a réussi
      Démarrage du test : Services
         ......................... Le test Services
          de OXYMAIL a réussi
      Démarrage du test : SystemLog
         Un événement Error s'est produit. Identificateur de l'événement :
         0xC0002719
            Temps généré : 11/27/2009   11:19:25
            Chaîne d'événement :
            DCOM n'a pas pu communiquer avec l'ordinateur 194.2.0.20 en utilisan
t les protocoles configurés.
         Un événement Error s'est produit. Identificateur de l'événement :
         0xC0002719
            Temps généré : 11/27/2009   11:19:25
            Chaîne d'événement :
            DCOM n'a pas pu communiquer avec l'ordinateur 194.2.0.50 en utilisan
t les protocoles configurés.
         Un événement Error s'est produit. Identificateur de l'événement :
         0xC0002719
            Temps généré : 11/27/2009   11:19:46
            Chaîne d'événement :
            DCOM n'a pas pu communiquer avec l'ordinateur 195.40.1.250 en utilis
ant les protocoles configurés.
         ......................... Le test SystemLog
          de OXYMAIL a échoué
      Démarrage du test : VerifyReferences
         ......................... Le test VerifyReferences
          de OXYMAIL a réussi

   Exécution de tests de partitions sur ForestDnsZones
      Démarrage du test : CheckSDRefDom
         ......................... Le test CheckSDRefDom
          de ForestDnsZones a réussi
      Démarrage du test : CrossRefValidation
         ......................... Le test CrossRefValidation
          de ForestDnsZones a réussi

   Exécution de tests de partitions sur DomainDnsZones
      Démarrage du test : CheckSDRefDom
         ......................... Le test CheckSDRefDom
          de DomainDnsZones a réussi
      Démarrage du test : CrossRefValidation
         ......................... Le test CrossRefValidation
          de DomainDnsZones a réussi

   Exécution de tests de partitions sur Schema
      Démarrage du test : CheckSDRefDom
         ......................... Le test CheckSDRefDom
          de Schema a réussi
      Démarrage du test : CrossRefValidation
         ......................... Le test CrossRefValidation
          de Schema a réussi

   Exécution de tests de partitions sur Configuration
      Démarrage du test : CheckSDRefDom
         ......................... Le test CheckSDRefDom
          de Configuration a réussi
      Démarrage du test : CrossRefValidation
         ......................... Le test CrossRefValidation
          de Configuration a réussi

   Exécution de tests de partitions sur oxygen-rp
      Démarrage du test : CheckSDRefDom
         ......................... Le test CheckSDRefDom
          de oxygen-rp a réussi
      Démarrage du test : CrossRefValidation
         ......................... Le test CrossRefValidation
          de oxygen-rp a réussi

   Exécution de tests d'entreprise sur oxygen-rp.com
      Démarrage du test : LocatorCheck
         ......................... Le test LocatorCheck
          de oxygen-rp.com a réussi
      Démarrage du test : Intersite
         ......................... Le test Intersite
          de oxygen-rp.com a réussi

C:\Users\administrateur.OXYGEN>
----------------------------------------------
DCDIAG /test:dns /e

C:\Users\administrateur.OXYGEN>dcdiag /test:dns /e

Diagnostic du serveur d'annuaire

Exécution de l'installation initiale :
   Tentative de recherche de serveur associé...
   Serveur associé : oxymail
   * Forêt AD identifiée.
   Collecte des informations initiales terminée.

Exécution des tests initiaux nécessaires

   Test du serveur : Asnieres\ADELE
      Démarrage du test : Connectivity
         ......................... Le test Connectivity
          de ADELE a réussi

   Test du serveur : Asnieres\OXYMAIL
      Démarrage du test : Connectivity
         ......................... Le test Connectivity
          de OXYMAIL a réussi

Exécution des tests principaux

   Test du serveur : Asnieres\ADELE

   Test du serveur : Asnieres\OXYMAIL

         Démarrage du test : DNS

               Démarrage du test : DNS

                  Les tests DNS sont en cours d'exécution et ne sont pas
                  arrêtés. Veuillez patienter quelques minutes...
                  ......................... Le test DNS
                   de OXYMAIL a réussi
         ......................... Le test DNS
          de ADELE a réussi

   Exécution de tests de partitions sur ForestDnsZones

   Exécution de tests de partitions sur DomainDnsZones

   Exécution de tests de partitions sur Schema

   Exécution de tests de partitions sur Configuration

   Exécution de tests de partitions sur oxygen-rp

   Exécution de tests d'entreprise sur oxygen-rp.com
      Démarrage du test : DNS
         Résultats des tests des contrôleurs de domaine :

            Contrôleur de domaine : oxymail.oxygen-rp.com
            Domaine : oxygen-rp.com

               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record _dcdiag_test_record
in zone oxygen-rp.com

               TEST: Records registration (RReg)
                  Carte réseau
                  [00000006] Connexion réseau Intel(R) PRO/1000 MT :
                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     10.10.1.245 :
                     oxymail.oxygen-rp.com

                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     ::1 :
                     oxymail.oxygen-rp.com

               Avertissement : inscriptions d'enregistrement introuvables sur
               certaines cartes réseau

            Contrôleur de domaine : adele.oxygen-rp.com
            Domaine : oxygen-rp.com

               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record _dcdiag_test_record
in zone oxygen-rp.com

               TEST: Records registration (RReg)
                  Carte réseau
                  [00000001] Intel(R) PRO/1000 MT Network Connection :
                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     10.10.1.245 :
                     adele.oxygen-rp.com

                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     10.10.1.245 :
                     gc._msdcs.oxygen-rp.com

                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     10.10.1.5 :
                     adele.oxygen-rp.com

                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     10.10.1.5 :
                     gc._msdcs.oxygen-rp.com

                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     ::1 :
                     adele.oxygen-rp.com

                     Avertissement :
                     Enregistrement AAAA manquant au niveau du serveur DNS
                     ::1 :
                     gc._msdcs.oxygen-rp.com

               Avertissement : inscriptions d'enregistrement introuvables sur
               certaines cartes réseau

               oxymail                      PASS WARN PASS PASS WARN WARN n/a
               adele                        PASS WARN PASS PASS WARN WARN n/a
         ......................... Le test DNS
          de oxygen-rp.com a réussi

C:\Users\administrateur.OXYGEN>

--> IPV6 is not installed on the original W2K3 server

----------------------------------------------
The new W2K8 has the 5 FSMO roles
(schema master, naming master, PDC, RID, Infrastructure)

I guess my problem lies in the DNS configuration, but I must admin I don't know to start from !

Any help / guidance / suggestion / link to any page on the internet will be appreciated !

Daniel

Windows Log Off Problems On Wireless Laptops Connected To Domain

Thu, 22 Oct 2009 01:50:12 Z

We've encountered a problem where Windows takes a very long time to log off if the laptop is on the wireless network. On the wired network, the laptop works great (just like our desktops). Please note that this is our first attempt at adding laptops to the domain (since more users are starting to request laptops we are looking for an easy way to manage them and hence are looking to add them to the domain to use group policy).

The following 2 events are logged in the Application event log when the laptop logs off slowly on the company wireless network:
1. Event ID 6005, Source Winlogon: The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (EndShell).

2. Event ID 6006, Source Winlogon: The winlogon notification subscriber <GPClient> took 233 seconds to handle the notification event (EndShell).

During my testing, I found that if I turn off the wireless adapter while logging off, the log off occurs smoothly. Also, if I keep the VPN client connected while I log off, the log off occurs smoothly.

Since the problem only happened on the internal wireless network, I contacted the security folks and discovered that netbios is disabled on the company wireless network. So to work around this, I attempted to disable netbios over TCP/IP for the wireless network adapter, but this did not help.

I also attempted to play around with the "Group Policy slow link detection" group policy setting under the user configuration area with no success.

I've moved both the laptop computer account and test user account under a new OU that blocks all inheritance. So, no domain group policies are affecting this laptop.

Any suggestions on getting around this problem? It would be very useful to have these laptops connected to the domain so we can start pushing group policy settings to them, but I also want the user experience to the quick and responsive. And, I would like to avoid having to have my users turn off the wireless adapter each time they log off while on the wireless network because I know that they will not remember.

The client laptop is running Windows 7 RTM (this is my test laptop) connecting in to a Windows 2008 domain. I'm not sure if it matters, but we are running at a Windows Server 2008 domain functional level and a Windows Server 2003 forest functional level.

Thanks!

Bitlocker Recovery Keys Not Available Within Active Directory

Fri, 20 Nov 2009 01:11:25 Z

We have configured Group Policy to require the automatically back up bitlocker recovery keys to Active Directory. I am confident that this is, in fact, occurring based on the event logs of the PCs, which are logging TPM-WMI event 513...

TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.

Odd thing is that when we search for the recovery key in Active Directory, we receive...

Your search for "xxxxxxxx" returned no results.

When we look at the computer object directly, we see...

No items in this view.

I know that this has worked properly in the past, because we have recovered bitlocker keys for hard drives previously. It seems to be a permisssions issue of some kind, however, we are using Domain/Enterprise/Schema admin to query AD for the recovery key.

This is occuring on Windows Server 2008, SP2.

Don't know how to fix replication issue!

Wed, 18 Nov 2009 09:02:21 Z

Dear all,

Current I have two DCs, one PDC (ssv01) and another BDC (ssv03). Both of them are Windows 2000 server SP4.
I check and see have problem with BDC.
- It is not able to share SYSVOL as long as NETLOGON

Event log showed as the following:

------------------------------------------
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13565
Date:  11/18/2009
Time:  9:19:51 AM
User:  N/A
Computer: SSV03
Description:
File Replication Service is initializing the system volume with data from another domain controller. Computer SSV03 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt, type:
net share

When File Replication Service completes the initialization process, the SYSVOL share will appear.

The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
------------------------------------------

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date:  11/18/2009
Time:  9:21:55 AM
User:  N/A
Computer: SSV03
Description:
The File Replication Service is having trouble enabling replication from \\ssv01.mydomain.com.vn to SSV03 for c:\winnt\sysvol\domain using the DNS name \\ssv01.mydomain.com.vn. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name \\ssv01.mydomain.com.vn from this computer.
[2] FRS is not running on \\ssv01.mydomain.com.vn.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Data:
0000: d5 04 00 00               Õ...

------------------------------------------

I checked DNS, replication service are fine.
Topology I use replicaiton monitor tool I also see that it is fine (and replicated successful between DCs).
Could you please help me to fix the issue?

Thanks,
-Binh.

Problems with Server 2008 AD snap-in & Terminal Server settings

Sat, 28 Nov 2009 12:59:59 Z

Hi,

just installed a new w2k8-AD. Users have roaming TS-profiles.

What i found out is: As soon as i use the AD mmc snapin from w2k8-server and change anything on the tabs remote control, terminal services profile, environment or sessions then automatically the "starting program..." option is selected in environment tab. But i can only see that it is selected i if i use the AD mmc snaping from w2k3-server.

Regars

Reiner

problem using dsadd

Sun, 29 Nov 2009 13:02:00 Z

Hi all

Have an annoying problem, using dsadd command-line tool, on 2008 R2. And the problem existist on 3 different test Domain Controllers and 1 production. Non of the servers have any thing with each other to do, regarding domain, trust, etc. Separate installations, just out of the box – no scripted installation or reuse of image.

Problem

C:\Users\administrator>DSADD OU "OU=Domain Member Servers,OU=IT-Services,DC=one,

DC=local" -desc "Containing any Member Servers, fully managed by Operations"

dsadd failed:'any' is an unknown parameter.

type dsadd /? for help.

As you can se, the word in the description “any” is causing the line to fail.

This one works

C:\Users\administrator>DSADD OU "OU=Admin Users,OU=Admin,OU=IT-Services,DC=one,

DC=local" -desc "Containing any Domain wide Admin Users”

dsadd succeeded:OU=Admin Users,OU=Admin,OU=IT-Services4,DC=one,DC=local

What the heck is the difference?

Removing the –desc “Containing any Member Servers, fully managed by Operations" will succeeded the one with the problem. Any thinkable combination of setting quotes or removing them, doesn’t make any difference.

In a 100 lines copy/paste from a .txt file, 45 fails with similar descriptions, like “some word is an unknown parameter”

Is this a bug?

Regards Lars

RODC in DMZ - Member Server Authentication

Wed, 25 Nov 2009 20:17:42 Z

We have deployed an RODC in the perimeter and are having issues with authentication on our member servers. We have no communication between member servers in the perimeter and the RWDCs inside. According to the Deploying RODCs in the Perimeter Network guidance, we understand we'll have to manually update DNS records, but all other operations should work. However, if we attempt to log onto a member server with a user who has not been cached on the member server previously, we receive a "no logon servers available" message, and associated NETLOGON errors in the event log (Event ID 5719). We've attempted to follow the solution in Troubleshooting RODC location in the DMZ with no success, though the details about configuring the DNS security are vague at best. However, it doesn't look like the generic SRV records are being created for the RODC.

I'm looking for some assistance on how to properly adjust the security on the DNS zone to allow the RODC to create its records, then validate this has happened?

That being said, I'm still not 100% sure this will solve my issue (although I do see on the firewall the member server attempting to connect to the internal RWDC). The member server was joined to the domain whilst attached to the internal network, then moved to the perimeter. Could this somehow weirdly be the issue? Would following the manual/scripted procedure in the guidance resolve these issues?

This is happening in a lab environment with pretty much OOTB settings and built following the step-by-step instructions on TechNet. The machine and user accounts are in the PRP and I pre-populated the passwords, DNS was manually updated.

Unable to join machines to RODC in DMZ network

Wed, 18 Nov 2009 22:24:33 Z

We rolled out a RODC to our Perimeter network. There is a firewall between our perimeter network and our Corp Network. We followed the steps per TechNet article: http://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx

The problem we are having is trying to add machines via the suggested script. We are trying to add a Windows 2003 server to the network from the Perimeter. We were getting "Error: 87" until we applied hotfix: "WindowsServer2003-KB944043-v5-x86-ENU.exe".

Now that the hotfix has been applied we are now getting "Error: 1354" Still unable to add the server to the Domain from the Perimeter network.

Has anyone run into this issue?

Cant Raise Domain or Forest Function Level from 2008 to 2008 R2

Tue, 03 Nov 2009 16:39:48 Z

Hi all

I have had 4 Windows 2008 Server Core Dc's running (2 sites, 2 dc's in each site) for a while now.

We have slowly decommed each one one at a time (moving FSMO roles accordingly etc etc) and replaced with new Windows 2008 R2 Standard Edition Server Core.

We finally replaced the last DC yesterday and removed one completely (from one site) temporarily. So now we have 2 x 2008 R2 DC's in 1 sites, and 1 x 2008 R2 DC in the other site. Everything is fine AD wise, FSMO roles all placed correctly, AD working just as it should, HOWEVER I cant seem to even get the option to raise either the Forest or Domain functional level from 2008 to 2008 R2 (we want the AD recycle bin!).

We have prepped the schema a while ago with

adprep /domainprep
adprep /domainprep /gpprep
adprep /forestprep

and if I try and run these again it says "Its already been done, so no need" or something like that.

But if I go into ADUC or ADDT and connect to any of the DC's it just says "Forest level = Windows 2008" or "Domain Level = Windows 2008" and "This is the highest level you can have at the moment" etc etc

Any ideas?

Cheers!

Andy

Using DNSCMD to set Conditional Forwarders to Active Directory Intergrated (Windows 2003)

Wed, 21 Oct 2009 17:14:57 Z

Windows 2003 SP2 Domain. Single Domain

Guys, I'm using the following command to integrate our DNS conditional forwarders with AD. The command works great and it does replicate the forwarders to all other DNS servers.

dnscmd /zoneadd test3.ca /dsforwarder 11.11.11.11 12.12.12.12 /TimeOut 30

What I'm finding though is that I cannot get the Time Out Value to replicate.

If I use the command it successfully sets the Time Out value on the DNS server on which I execute the command, but if I check another DNS server is sets the time value on the zone to the default 5. Is this by design?

Active Directory Restore

Fri, 13 Nov 2009 16:51:31 Z

Please can somebody help me. Am working on a project on how i would recover my active directory at the event of failure. I setup two DC on a vittual environment, create a couple of OUs, I then backup the second DC and then thrashed the second DC after the backup, i built the server again and join it to the domain again, if am joining domain, do i need to change the computer name? I rebooted the server and press F8 for AD recovery mode and i restored the system state i backed on the second DC, and after the restore ,i then rebooted the server. The issue am now having is that the restored server is not a DC and when i open the DC OU, i cannot find the name of my rebuilt server and the do not contain the Netlogon and SYSVOL folder.
Please can somebody help me with the details step-by-step process instructions on how to achive this aim. What i wanted is to have my recovered server as a DC after the system state restore. I have looked up the Microsoft web site, but there was nothing on what i wanted to do.

Regards
Victor

Why we need additional domain controller?

Fri, 27 Nov 2009 01:35:38 Z

In what situation we need additional domain controller?

"Display information about previous logons during user logon"

Wed, 27 Feb 2008 02:31:17 Z

I enabled “Display information about previous logons during user logon” in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options thinking that it would work on Server 08, setup for 03+ DC's, and I was wrong...

Now, whenever I try to logon to the server, I get "Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator for assistance."

Now, I since I have additional Domain Admins, I attempted to logon to a workstation (Vista) as a Domain Admin... Surprise, can't login there either. It's telling me my password is incorrect. I'm pretty sure I got it right, and have locked myself out a few times by checking my old passes...

Thankfully, this Domain isn't in use by any production clients, however I really want to save the work that I already have on this PDC (btw, it's not just a PDC, it has additional roles installed, as it isn't a production machine).

Is there any way I can save this machine?

Can't disable users from adding workstations to domain

Fri, 27 Nov 2009 15:06:21 Z

Following some howto's i'm trying do disable users from adding workstations to the domain. (windows server 2k8)

in my default domain policy i have changed the setting for "add workstations to domain" to "dezuttere\Administrator".

Also set the deligation of the computers OU to the ""dezuttere\Administrator".

But normal user still can add workstations to the domain.

What i'm i missing here.

How to generate a PKCS7 or PKCS10 file format from the given ssl certificate?

Fri, 27 Nov 2009 12:58:42 Z

Hi Forum Members,

I need to know the process by which the generation of PKCS 7 or PKCS 10 file for the issued SSL certificate can be achieved. I am in the process of renewal of certificates issued by standalone 2003 CA server.

Another issue is please see this post http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/768f3352-8830-4d41-846c-bdf2727da080

I am facing some errors while trying the renewal process of ssl certificate issued by standalone CA .
I invite the valuable response from this forum
Thanks
Arunkumar.G

Increase a fonctionality level

Fri, 27 Nov 2009 11:07:53 Z

Hello,

I have two Domains in my forest, with 6 DCs in each domains

the root domain, all the servers are in Windows 2003 but in a child domain there is Dcs in Windows 2000.

here is my qsuestion :

Can i increase the fonctionnality level for the root forest domain into "Windows server 2003"?

Best Regards
Romain

Adding Central Server to combine two domains into one forest.

Wed, 25 Nov 2009 18:56:04 Z

note: All on windows server 2003

My organization currently has two small (less than 50 clients) domains that are currently on seperate forests. We are hoping to implement a central server that would provide backup to both domain controllers, centralize some shares that would be propogated to both domain controllers, and share users accross these two domains. I'm currently trying to determin the structure that we should use for this enviroment. Also, keep in mind either domain could go offline at any time and we want to maintain syncronization which is why we aren't just creating a trust between the forests.

Anyway, I'm having trouble figuring out exactly what shape this enviroment should take. We want to keep two seperate domains. I'm considering creating a domain on the central server that would be a parent to our two existing domains. However, I don't know if it would then provide us any backup for the child domains. Also, I don't know if one server can provide backup for both domains. My other consideration would be to just have two trees that are part of the same forest. However, what then would be my role of the central server? I don't think it can be a backup to both domain controllers.

As you can see, I'm still learning all this and my understanding is limited. I hope all of this made sense.

Event IDs: 1030 and 1058

Thu, 26 Nov 2009 20:37:47 Z

Hi guys

i have a big problem that i have been fighting with for quite some time and have found no solution:

I have a domain "catoca.com" with 2 sites:

1-Luanda (10.9.48.x - 255.255.255.0 network)
*This site have 2 domain controllers:
1-LDADC001 = DC, GC, DNS, DHCP, also holds FSMO
2-LDADC002 = DC, GC, DNS

2-SAURIMO (10.9.32.x - 255.255.252.0 network)
*This site has one domain controller which is the problematic one
1-SAUDC001 = DC, GC, DNS, DHCP

This SAUDC001 has been constantly flooded with these 2 events:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date:  26-11-2009
Time:  20:46:43
User:  NT AUTHORITY\SYSTEM
Computer: SAUDC001
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date:  26-11-2009
Time:  20:46:43
User:  NT AUTHORITY\SYSTEM
Computer: SAUDC001
Description:
Windows cannot access the file gpt.ini for GPO cn={862C7901-E768-4E70-992B-E2CE4DA4219C},cn=policies,cn=system,DC=catoca,DC=com. The file must be present at the location <\\catoca.com\SysVol\catoca.com\Policies\{862C7901-E768-4E70-992B-E2CE4DA4219C}\gpt.ini>. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted.

These are my current problems at SAURIMO SITE (SAUDC001)

1- If i try to acess any of the domain shares (sysvol and netlogon) i receive the error:
*\\saudc001\sysvol is not accessible. You might not have permission to use this network resource. Contact the Adminstrator of this server to find out if you have access permissions.

2-If i try to connect to the domain \\catoca.com, i receive the error:
* the network location cannot be reached.....

3-If i try to join any computer to the domain on this site, i receive the error:
*windows cannot find the network path. Verify that the netiwork path is correct and the destination computer is not busy or turned off.......

4- I tried to dcpromo another Windows 2003 server machine in hope that i could replace the problematic one but i receive this error:
*The wizard cannot gain access to the list of domains in the forest. The error is: The network address is invalid

Right now i dont know what else to do and i am very preocupied because this is the only DC on this site and i have a lot of users authenticating on it

PLEASE NEED HELP URGENTLYYYYYYYYY

REGARDS

Active Directory Federation Services to integrate IBM WEbsphere apps

Fri, 27 Nov 2009 10:00:58 Z

Hi,

I am going through ADFS and could see how to authenticate between two windows Forests and establish trust beteen them. I could also see integration to IIS6 based webserver.
I have different scenario, I am looking at my Java apps sitting on IBM websphere with LDAP authenticating users from AD using SSO token from ADFS server. Can any one guide me through this and help me giving a solution.

Exporting GPO

Thu, 26 Nov 2009 10:50:28 Z

Hello all,

Is there a way to export all GPO from windows 2003 AD domain to windows 2008 R2 different domain ? If there are please do point some KB or link.

M

RENDOM - Error during step 7 (rendom.exe /prepare)

Thu, 19 Nov 2009 10:48:32 Z

Hi All,

I'm trying to do a domain rename, but I'm getting errors during the "rendom.exe /prepare" step.

The forest has a root domain, with 7 child domains. I'm just trying to change the DNS name of the forest, from "abcde" to "abcde.local" (yes, right now it's a SLD). This, of course, affects all the child domains, so they are all being renamed to include the new ".local" portion.

I only have one DC in each one of the 8 domains (1 root + 7 child domains), and only one DNS server for all the forest (which is the DC for the root domain).

Yes, I know that there should be a couple more DCs and DNS, but I'm relatively new to this structure and didn't had the time to correct some things :)

The error that I'm getting on the "rendom.exe /prepare" is this, for all the DCs, except the root DC.

Failed to find SPN LDAP/dc1.abcde/abcde.local on CN=DC1,OU=Domain Controllers,DC=abcde

This shows up as error 30169 on the control station, if I remember correctly.

This is happening on all the 7 child DCs, the root DC is the only one that gets to the "prepared" state, all the others give this error (all refering the root DC), and all refer the root DC.

I've checked the DNS records and they seem ok (at least acording to the "Step-by-step guide to implementing domain rename"), and I've checked the actual servicePrincipalName for the DC1 server, and the SPN mentioned is there (LDAP/dc1.abcde/abcde.local), along with a ton of others :)

I'm using an Enterprise Admin account.

Netdiag and DCDiag run fine on the 8 DCs. No errors on event log.

I've rerung the "rendom.exe /prepare" command a couple of times, as sugested on the white papers, but to no avail, the error keeps showing up.

Can anyone help me out with this? I suspect that I might be missing a DNS entry somewere, although I seem to have all the records mentioned on the papers. I might have some other structure problem that isn't quite visible during day to day operations, but I'm not sure what to check.

I've searched this problem on the net, but couldn't find anything specific to this problem.

If any of you could give me a hand, you will get my eternal thanks ;)

Thanks in advance!

Cheers,

Helder

Unable to create files on Windows 2008 R2 Netlogon share

Thu, 26 Nov 2009 09:41:36 Z

Hi,

I have installed 2 new Windows 2008 R2 Domain Controllers in a new forest.
In all the tests I used the same account, which is member of the domain admins group.
I cannot create files or directories in the netlogon share (\\dc1\netlogon) , if I am trying to do this from the same domain controller (dc1). The error I get is access denied, and I have an option to try again or cancel. Trying again does not help.
I tried to access the folder C:\Windows\Sysvol\Sysvol\domain.com\Scripts using explorer, and I can create only folders. The option to create other kind of files does not exist in the menu.

I tried using CMD, to create files in the local folder C:\Windows\Sysvol\Sysvol\domain.com\Scripts and also got an access denied error.

When I connect to the Netlogon share from another computer (lets say dc2, or another member server), I can create files and folders.

I know this used to work without a problem on Windows 2000, Windows 2003 and Windows 2008.

Any one knows why I have this problem on Windows 2008 R2?

Thanks,

Guy

External Trusts

Wed, 25 Nov 2009 12:46:40 Z

I have several forests with the same domain componants in the last two dc of the name space, how will this effect Trusts? I need to create trusts between several domains that share the name space, after setting them up in a test environment, I do not feel they will remain stable. Is the trust based on Netbios naming of the domain only? If so then the SID should keep everything seperate.

New domain with old domain name (users account problem)

Thu, 26 Nov 2009 21:41:11 Z

Hallo,

I had win2000 srv (DC) domain and now it is gone, fortunatelly the directories are saved.
I installed a new domain controller (using the same name as old for the DC and domain) on new machine with win2003 srv R2.

Is there any possibility to connect the old domain computers and users to the new one without creating new user profiles on the user computers.
Is there any possibility to extract user account information from the old domain directories and import into the new.

Thanx in advance.