Petri IT Knowledgebase Forums - Active Directory

Unified Messaging Dial plan object

Jscubafbi — Mon, 20 May 2013 04:09:11 GMT

Hi all. I was wondering if anyone knows the name of the attribute on A UM dial Plan in AD; that tells specifies what servers are associated with the dial plan? I found the Um Dial Plan in ad but can't find the attribute.

Can anyone help here?

Cheers.

Administrators Active Directory Report

leoalvis — Sun, 19 May 2013 23:42:01 GMT

Good evening,

How can I generate a report of administrators users in Active Directory?

Thank you very much.

Security for 3rd Party suppliers, developers, VPN access, Group Policy, Leveraging AD

ranjb — Fri, 17 May 2013 11:05:10 GMT

Hi
I have just come out of a meeting where it was discussed that our security needs to be greatly improved as well as procedures and management of our Production environments.

Being a multi-international company we have numerous 3rd parties who access our system. Currently we use PPTP connectivity via a Linux server to provide them access and this is how we provide access to our 3rd parties as well as internal employees. I am putting a plan together to move away from this as this is a BIG security issue as its not controlled and if a 3rd party understood our systems better they would be able to access any point of the network.
Our developers, solution architects also have access to our production systems and we have recently learnt that some changes are not going from a dev to production environment in a controlled manner, in some cases any changes are being made directly to production systems without any proper testing.
Currently the internal developers will have a local admin access to a Windows server. historically if a user wanted access they just needed to put in a request in and they would have access.

I am just trying to get some advice on how best we can better manage this, what do other companies do in our situation? I doubt if we are unique with these problems. I think moving forward a VPN gateway which authenticates with AD, where we can control access to what servers/RDP sessions a particular user/group can have access too (similar to a remote apps/Citrix web session) and also getting away from multiple users have local admin access to servers. A suggestion was to use one 'developer' account and use group policy to create this local account on all PROD/DEV servers in the enterprise but the problem I see with this is we cannot audit who is making the changes if there are multiple devs using 1 account.

Moving onto auditing, any suggestions on how better we can audit our environment? can this be done straight out of the box on Windows servers or do we need a 3rd party tool?

Many Thanks

The issue with Windows NT still lurking as a Trust

ranjb — Tue, 14 May 2013 09:28:32 GMT

Hi All
I am currently working on a piece to decommission our ldap domain in our offices across the UK and move to a fully Wintel environment. We have a mixture of environments at the moment, we have an old NT Domain, a LDAP domain on Linux and an Active Directory domain. The AD domain is the forest root and there are trusts to the NT and Linux domain from here as well other domains from our partner countries.

All of our services are hosted in a Data center and we have MPLS Wan links to all of our offices, we have 4 in total. All of our Windows domain controllers are hosted in the DC, with our Linux environment, we have master LDAP/DNS/DHCP/NTP in the DC and have replicas in the office locations, one at a time they have been decommissioned as the local offices have moved over to the Windows equivalents of those services i.e. moving users/computers from Linux to AD domain.

I have a question with regards to 1 office where the majority of our users reside. I have removed the dependance of LDAP now and now want to create a DNS and DHCP for this office. That part I am OK with, however because the number of users I see there will likely be a benefit if I install a RODC in this office.

My question is in the DC we have 3 DCs, our forest and domain levels are set to 2003. If I was to create another 2008R2 RODC in this office would it have an issue with the NT trust?

I read this article and got slightly concerned
http://blogs.technet.com/b/askds/arc...ition.aspx#nt4
It talks about NT trusts and 2008R2 DCs not being compatible... Have others encountered this issue? The NT4 domain is going but I am not in a place to remove it yet due to legacy applications still reliant on this.

Thanks

Permissions to logon through terminal services

Stevenjwilliams83 — Fri, 10 May 2013 13:04:29 GMT

Why is this not working...

Forest is domain.com, child domain is ABC.domain.com

Domain admins group at Domain.com is part of the built in administrators group in ABC.domain.com.

Servers local policy states Administrators and Remote Desktop Users are allowed logon through terminal services, but yet a user in the domain admins group at domain.com cannot log into a server in ABC.domain.com.

Did I miss something?

How to generate a "last login" report

Tasuooooo — Sun, 28 Apr 2013 08:55:00 GMT

Hello,

I would like to know how can I get a report of all users last login time?
I would like to clean my Active directory from users who haven't login to the domain above X time.

Thanks for your help

Sysvol corrupt

Ruslan — Thu, 25 Apr 2013 09:53:47 GMT

Hi,

We had an old Windows 2003 server acting as a domaincontroller for ad.domain.net, this was set to windows 2000 mode if I remember right. What I first done was to raise this to 2003 mode.
Then I runned this: on the domaincontroller run D:\support\adprep\adprep32/forestprep and D:\support\adprep\adprep32 /domainprep
The next step was that I installed active directory services on the Windows 2008 server and did a dcpromo and added this second dc to the domain ad.domain.net. Then I transferred all roles to the new server and finally depromoted the old dc. The old Dc is unfortunately gone now.

But during the work i noticed that the sysvol share never was created on this server. Found that file replication service was disabled on the old server, and has been that for several years? So I tried to start that service but got an error message as I understood this was due to that this service has been disabled for a very long time. So I did a search for that and noticed that several others had this problem and that they solved this by stopping the netlogon service on the new server and copied the whole sysvol directory from the old server to C:\Windows\System32 on the new server, and then started the netlogon service again.

My question is if somebody knows if I can start from scratch in some way with the sysvol without reinstalling the domaincontrollers? There wasn�t so much policies applied so I can recreate those manually.

AD Migration Question

exoromeo — Wed, 24 Apr 2013 15:27:49 GMT

We are looking at migrating from our current AD setup (parent + child domains) to a new forest utilizing a resource forest for Exchange. How feasible is this (based on info below) and how difficult? I've done forest to forest migrations before; but never from a forest/child domain to a new forest with Resource Forest.

Just wondering how painful it is to migrate from Parent holding Exchange, Child holding users to Resource Forest setup.

CURRENT SETUP

ParentDomain = holds Exchange server (and DAG) and a couple of DCs
ChildDomain1 = holds users, couple of DCs for ChildDomain1, and various resources for ChildDomain1

ChildDomain2 = holds users, couple of DCs for ChildDomain2, and various resources for ChildDomain2

Parent-Child trust between ParentDomain and each Child. Shortcut trust between ChildDomain1 and ChildDomain2

PLANNED SETUP

ResourceForest = will hold Exchange + DAG
Domain1Forest = will hold users and resources from ChildDomain1
Domain2Forest = will hold users and resources from ChildDomain2

Trusts built between ResourceForest and Domain1/Domain2. Trust built between Domain1 and Domain2.

FRS will not start. AD/GPO all messed up.

Rogie — Tue, 23 Apr 2013 20:20:18 GMT

IssueServer01: Windows Server 2003 R2 SP2

Environment: DCs are: Server 2003/2008/2012

I discovered an issue when creating a new GPO to map a network drive. It wasn't replicating to all DCs.

IssueServer01 was the RID/PDC/Infrastructure Operations Master, and I discovered that it's FRS service would not start. Since then, I have transferred the Operations Master roles to a functional DC. Also, the SYSVOL folder was not shared.

When trying to manually start the FRS service, I get "Error 1067: The Process terminated unexpectedly"

We don't need this server to be a DC any longer, so I decided to demote it. When I try that (as well as dcpromo /forceremoval), I get "The operation failed because: Failed to prepare for or remove the sysvol replication. The file replication service cannot be started."

I would rather not just shut this server off and manually remove the metadata. I think if I can get the FRS service running, then I can demote it. Any ideas?

Thank you in advance for any help you can offer.

Home folders

bigalusn — Tue, 23 Apr 2013 14:03:59 GMT

Win2k3 Servers with AD. Mixed in some Win2k8 servers, exchange, virtual servers.

All of my users can browse all other home folders, this should not happened at all weird. Seems like it just started doing this lately. Network has been up and running since 2008 with no issues.

everyone is connected properly to the Z drive

\\myserver\home$\%username%

Group Policy for Linux desktops

Alexgeorge26 — Mon, 15 Apr 2013 13:02:09 GMT

Hi,

I would like to know is it possible to set a Group policy in windows 2008 or windows 2012 for Linux desktops also. I have client who is having AD on windows 2008 R2 server and client system on both windows & Linux desktops & now they want to set group policy for both windows and linux desktops.

I would like to know is it possible to set group policy for linux OS through windows Ad

Regards

Alex

The choosing of AD DC

Stevenjwilliams83 — Sun, 14 Apr 2013 20:08:48 GMT

I have been struggling with understand why my local site clients would be accessing a DC across a WAN to authenticate? I have looked at my AD SAS and the DCs are in the correct locations mapped with the right subnets. Also when I open my AD UAC tool from my desktop it just randomly picks a DC, then when I change the DC and check the box that saves this configuration for the console, the next time I open it, it picks a random DC again? What is going on?

AD Migration (split from hijacked thread)

behzad — Tue, 09 Apr 2013 12:52:31 GMT

Hi. Trying to perform transition from Windows 2000/Exchange 2000 to Windows 2008R2/Exchange2007.

Created a test virtual environment using VmVConvertor ver 4.0.1. DCs are converted properly. I get an error message when I try to replicate DCs indicating USN Rollback. Cannot run ADPREP32 /FORESTPREP on the Schema master. It returns error the DC needs to replicate once after reboot to change schema. This cannot be done because of the USN RollBack. All the articles refer to restore AD. Unfortunately ntbackup or other backup utility don't works under DSRM on these VMs. Removed all the references of other DCs, so I only have one DC, yet cannot adprep. Can anybody help me to overcome this problem?

Active Directory/Directory Server

surdileep — Mon, 08 Apr 2013 11:01:39 GMT

Hi,

I would like to know under what circumstances will Active directory and Directory server be configured in the same environment.

What measures needs to be taken before having this kind of setup.

NtFrs Event ID: 1350

ant2ne — Thu, 04 Apr 2013 19:14:06 GMT

What is this then?

Quote:

Log Name: File Replication Service
Source: NtFrs
Date: 3/31/2013 10:58:34 AM
Event ID: 13508
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: RLSSERVER2.rls.local
Description:
The File Replication Service is having trouble enabling replication from RLSSERVER.rls.local to RLSSERVER2 for c:\windows\sysvol\domain using the DNS name RLSSERVER.rls.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name RLSSERVER.rls.local from this computer.
[2] FRS is not running on RLSSERVER.rls.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Event Xml:

13508
3
0
0x80000000000000

426
File Replication Service
RLSSERVER2.rls.local

RLSSERVER.rls.local
RLSSERVER2
c:\windows\sysvol\domain
RLSSERVER.rls.local
D5040000

The 2 domain controllers are replicating back and forth. I created an object on one, then created another object on the other and after a few moments they have the same object. I've jumped around on the internet and tried several different things. The two DCs can resolve the other via DNS.

Everything seems functional on each DC.