logging IP address of User who authenticates with AD.

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - group member limitation, any more? We are using Windows 2003 AD and running 2003 native mode. I remember in Windows 2000 the group has limitation of 5000 users. What is it in Windows 2003? Does it have any limit? Since everyone will be in the Domain Users group? Is there a limit in Windows 2003 for this group? How about Domain Computers? another question is how to change user's primary group. By default, they are in Domain users. The "set primary group" is greyed out. Is it due to my permission? I don't need to change it but would like to know how to change it. Thanks. Tag: logging IP address of User who authenticates with AD. Tag: 125643
  - 2
    - Controlling/Limiting impact of LDAP Referrals / remote sites down We have a misbehaving non-Microsoft LDAP web application. It does not know how to "not" chase LDAP Referrals. (We're working on that, but a fix is not imminent.) (A similar case is referenced in a thread called "Bizarre LDAP referral behavior" [referenced below].) Here is our situation. When a network link goes down without warning, the domain controller there is out-of-touch with the rest of the AD domain. Trouble is, there are seven (7) _ldap SRV records still in DNS, so AD/LDAP keeps trying to contact the down site when it following LDAP Referrals. This causes a delay of up to 90 seconds in the application. We workaround this issue by deleting the 7 _ldap SRV records from the central site. This allows the application to not experience a delay. When the site eventually comes back online, it's domain controller re-registers those 7 _ldap SRV records. Here are my questions: - Under normal conditions, if a domain controller is gracefully shutdown, does it de-register those _ldap records? (I think we only have an issue when the link goes down without warning.) - Are there any controlling mechanisms to reduce the 90-second delay when chasing LDAP referrals to the down site? - Can I somehow "automatically" have AD remove those SRV records at the central site, if it know the remote domain controller is unreachable? - Is there a way that from the central site, we don't see those _ldap SRV records in DNS? I'm thinking that would stop the LDAP referrals. I believe I can tell the remote domain controller to NOT register its _ldap records, but that seems like it would break local applications such as Outlook. LDAP SRV records: mydom.net\_msdcs\dc\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\_tcp\ SRV record: _ldap mydom.net\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\DomainDnsZones\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\_sites\RemoteSite1\_tcp\ SRV record: _ldap mydom.net\DomainDnsZones\_tcp\ SRV record: _ldap Reference thread: Bizarre LDAP referral behavior in Windows 2003 AD microsoft.public.windows.server.active_directory http://www.servernewsgroups.net/group/microsoft.public.windows.server.active_directory/topic961.aspx Tag: logging IP address of User who authenticates with AD. Tag: 125638
  - 3
    - Group Policy Results, can not collect.( probably simple) So I run tbe GPRWizard from the dc connecting to the xp w/s and receive the same result on every machine. Failed to connect........ The RPC server in unavailable. Thanks Tag: logging IP address of User who authenticates with AD. Tag: 125632
  - 4
    - Win2K3 Domain Controllers - DR Exercises I had a DR question that I'm pretty confident someone here could answer for me, and it would be much appreciated! My company has 3 sites, for the sake of this post I will call them HQ, DR-Site1, and DR-Site2. Our HQ site has 3 domain controllers, and each DR-Site has 1 single domain controller. During our DR exercises that occur twice a year, we sever the connection to our HQ site and rely on only the DC's and resources that we restore from backup at each of the DR-Sites. Because of the large number of server restores we do along with the fact they are restored to different subnets, we find ourselves making a lot of changes to DNS records, WINS records, and computer accounts on the DC's at the DR-Sites. During these exercises, our HQ site continues normal business and the domain controllers here remain in production. They complain about no longer seeing/replicating with the DC's at the DR-Sites, but it does not impact production resources. At the conclusion of the exercises, our current method of getting everything back to normal is to perform metadata cleanup at the HQ site, blow away the DC's at the DR-Sites, and then rebuild/re-promote those DC's to get them back on the production network. While the metadata cleanup process isn't all that tedious, I've been wondering if another procedure might be less time consuming: Prior to the start of the DRE, take System State backups of the DC's at the DR-Sites. At the conclusion of the DRE, rather than metadata cleanup/rebuilds, couldn't we just use those System State backups and perform non-authoritative restores on the DR-Site domain controllers? If I understand correctly, the non-authoritative restores would tell the DR domain controllers that *their* AD data is incorrect/out-of- date and to replace it with the data from the production DC's. Is my logic here correct? Or should I just stick with the current method? Many thanks in advance! Tag: logging IP address of User who authenticates with AD. Tag: 125618
  - 5
    - ADprep question about going from 2000 to 2003 domain I will be updating our aging Windows 2000 AD domain (two Win2k servers) by introducing a third server which runs Windows Server 2003 (not R2). I need to run adprep /forestprep and adprep /domainprep to prepare the Windows 2000 domain for Windows 2003 Server. However, MS's documentation states that if you want to upgrade to a Windows 2003 Server SP1 domain, you must also run adprep /domainprep /gpprep. The Windows 2003 Server I want to introduce into the domain has SP2 and the latest updates. Do I need to run adprep with the /gpprep switch as a third step in the process before bringing the new server into the domain? Tag: logging IP address of User who authenticates with AD. Tag: 125614
  - 6
    - active directory user properties new tab Hi; I am from turkey. I have a problem about active directory. I set up scheme and added user.and then added extra attribute which name ise social securite number.There is not problem so far but I could not see or enable user properties it which added new attribute in new tab. I want to ask; is it possible add new tab in user properties and display new attribute on the new tab, how can I do . Ä°f you know ,Can you explain? Best regards.. Tag: logging IP address of User who authenticates with AD. Tag: 125610
  - 7
    - Roaming Profiles and Redirected Folders Inconsistent I'm Running Windows 2000 Small Business Server as a PDC/DC/AD, DNS, and Terminal Server with a Windows 2003 Server running DHCP, DNS, and File Server. Clients are Windows XP Pro. On the W2K SBS, I set the default policy to include folder redirection of the users' "My Documents", etc. folders. In AD, I set the users profiles to be redirected (different path, same server, W2K3) as well. The redirection is not working consistently. I've had cases where a user logs in from one computer and their folders are redirected. The same user goes to another computer and logs in - the folders are NOT redirected. It is "hit and miss" as to whether the folders/profiles are redirected or not. What should I check to diagnose and fix these problems? What needs to be changed? Tag: logging IP address of User who authenticates with AD. Tag: 125609
  - 8
    - OU Security Delegation I created a group call dc-joincomputertodomain Ad and pupulated the memberlist with our servicedesk team. The service desk team is able to join computers to the domain, but they cannot move the computer object joined to the domain to the proper OU destination. So I created a new group called ServiceDesk_AD and populated the memberlist with the same users. I then delegated ServiceDesk_AD group to be able to modify COmputer Objects in the OU we want them to move computers to. But for some reason, when they join the computer to the domain, the newly created computer object is no inhereting the secuirty values from the parent. Any Ideas? Tag: logging IP address of User who authenticates with AD. Tag: 125608
  - 9
    - W2k3 Domain Controllers running on Windows 2003 Std 64bit? What are the benefits of running Windows 2003 Domain Controllers on Windows 2003 std 64bit? Is there any gotcha's? Tag: logging IP address of User who authenticates with AD. Tag: 125607
  - 10
    - Receiving a File Replication Service error on 2 DC's. The 2 domain controllers receive Event ID's 13555 and 13552 every day a couple of times. Restarting the services did not fix the issue. All domain controllers are running Windows 2003 Standard sp1. These servers were cloned about 5 months ago on new hardware and that's when the problem started. We will be applying service pack 2 later today in hopes of fixing the issue. I would like other alternatives to try and remedy the problem instead of what the logs say. Event ID 13555 The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed: Recovery Steps: [1] The error state may clear itself if you stop and restart the FRS service. This can be done by performing the following in a command window: net stop ntfrs net start ntfrs If this fails to clear up the problem then proceed as follows. [2] For Active Directory Domain Controllers that DO NOT host any DFS alternates or other replica sets with replication enabled: If there is at least one other Domain Controller in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative. If there are NO other Domain Controllers in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and choose the Advanced option which marks the sysvols as primary. If there are other Domain Controllers in this domain but ALL of them have this event log message then restore one of them as primary (data files from primary will replicate everywhere) and the others as non-authoritative. [3] For Active Directory Domain Controllers that host DFS alternates or other replica sets with replication enabled: (3-a) If the Dfs alternates on this DC do not have any other replication partners then copy the data under that Dfs share to a safe location. (3-b) If this server is the only Active Directory Domain Controller for this domain then, before going to (3-c), make sure this server does not have any inbound or outbound connections to other servers that were formerly Domain Controllers for this domain but are now off the net (and will never be coming back online) or have been fresh installed without being demoted. To delete connections use the Sites and Services snapin and look for Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS Settings->CONNECTIONS. (3-c) Restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative. (3-d) Copy the data from step (3-a) above to the original location after the sysvol share is published. [4] For other Windows servers: (4-a) If any of the DFS alternates or other replica sets hosted by this server do not have any other replication partners then copy the data under its share or replica tree root to a safe location. (4-b) net stop ntfrs (4-c) rd /s /q c:\windows\ntfrs\jet (4-d) net start ntfrs (4-e) Copy the data from step (4-a) above to the original location after the service has initialized (5 minutes is a safe waiting time). Note: If this error message is in the eventlog of all the members of a particular replica set then perform steps (4-a) and (4-e) above on only one of the members. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event ID: 13552 The File Replication Service is unable to add this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" This could be caused by a number of problems such as: -- an invalid root path, -- a missing directory, -- a missing disk volume, -- a file system on the volume that does not support NTFS 5.0 The information below may help to resolve the problem: Computer DNS name is "mcgcpdc.co.mchenry.il.us" Replica set member name is "MCGCPDC" Replica set root path is "c:\windows\sysvol\domain" Replica staging directory path is "c:\windows\sysvol\staging\domain" Replica working directory path is "c:\windows\ntfrs\jet" Windows error status code is FRS error status code is FrsErrorMismatchedJournalId Other event log messages may also help determine the problem. Correct the problem and the service will attempt to restart replication automatically at a later time. For more information, see Help and Support Center at Tag: logging IP address of User who authenticates with AD. Tag: 125606
  - 11
    - Drive mapping problem Hi everyone This maybe a simple problem, but i have yet to find an answer! All our users get drives mapped when they logon in the morning. But one user has to re-map one of their drives 90% of the time. There are no errors or explanations as to why he has this problem and all of his other drives map ok. He is using Windows XP and all hardware is the same as the other users Can anyone assist? Thanks Tag: logging IP address of User who authenticates with AD. Tag: 125603
  - 12
    - Trust Hi there, I have 2 forests, a.net and b.net. I have placed a 2-way transitive trust between them. Even though, child1.a.net can't see objects in child1.b.net and vice-versa. What I did was create a shortcut trust between both child domains and that worked fine. I'm still trying to figure out why the 2-way transitive trust did not work as expected. Both domains are 2003 SP1 native mode. -- NetAdmin <SÃ£o Paulo, BR> Tag: logging IP address of User who authenticates with AD. Tag: 125600
  - 13
    - Audit moved computer object? In terms of auditing, can I find out which user moved a computer object from one container/OU to another? Is this type of object auditing turned on if I have audit directory service access turned on in the Default DC Policy or do I have to enable it separately? Is this logged on all DCs or do I have to search each DC individually for the event ID? What event ID would it be? Tag: logging IP address of User who authenticates with AD. Tag: 125593
  - 14
    - Replication Basic Qs Hi: I have root Domain Windows 2003 and have 7 child domains across geographical locations and have about 12 various sites. I have a hub and spoke environment where The central HUB - "AAA" replicates to Various sites. So If I have a Site called Africa; Example: I have a site link called AAA to Africa and it contains site AAA and Africa.. My question is to monitor it effectively using replication monitor... What is the best way?? like to send me email when replication failed.. thanks Tag: logging IP address of User who authenticates with AD. Tag: 125591
  - 15
    - logon script policies we use a combo of batch file and kixtart scripts for our logon process. I'd like to get the logon script process into a GPO as opposed to putting the batch file name in every user profile. First, I just want to confirm this is the best way to do it - I would think so as right now we have many users that don't have the logon script field properly set, most likely because the person who created the account didn't follow the proper steps! Second, Do I need to include all of the logon-script related files in the policy, or is it perfectly acceptable to just add the batch file that does the calling into the policy and include lines like the following in the batch file that calls files in the netlogon share : \\%logonserver%\netlogon\files\kix32.exe \\%logonserver%\netlogon \script.kix or... %0\..\files\kix32.exe %0\..\\netlogon\script.kix ...and speaking of which, are one of the methods better than the other for referring to files in the netlogon share from a logon script?? Thank You!! - JayDee Tag: logging IP address of User who authenticates with AD. Tag: 125586
  - 16
    - one big reverse lookup zone Hi! Our AD has about 26,000 computers. Right now we've got a messy mix of Class B and Class C reverse-lookup zones that I want to clean up. At first I was considering changing them all to class B's and getting rid of the Class C's, but then I was thinking.... what about creating one giant Class A reverse-lookup zone? The entire network is on the same first octet, and none of the addresses are routable on the internet, so in essence we own the entire class A range. Thanks for your opinions... - JayDee Tag: logging IP address of User who authenticates with AD. Tag: 125585
  - 17
    - 1481,1084, 2108 Error NTDS Replication about 3 months until now I have (occasionally occurs) some NTDS Replication Errors, only on 2 DC in the same site... The objects are always on Deleted Objects and related with printers like "CN=PC1-PrinterP1\0ADEL:87a67f33-5ffe-4484-93c7- f02cc6567121,CN=Deleted Objects,DC=bv,DC=org" 1481,NTDS Replication,Internal error: The operation on the object failed. Additional Data Error value: 5 000020D9: SvcErr: DSID-031B0D6F, problem 5001 (BUSY), data 0 1084,NTDS Replication,Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller. Object: CN=PC1-PrinterP1\0ADEL:87a67f33-5ffe-4484-93c7-f02cc6567121,CN=Deleted Objects,DC=bv,DC=org 2108,NTDS Replication,This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged......... help? thkU! Tag: logging IP address of User who authenticates with AD. Tag: 125581
  - 18
    - FYI: Remote Server Administration Tools (RSAT) available for Windows Vista SP1 This is a multi-part message in MIME format. ------=_NextPart_000_003C_01C88ECD.499C2970 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable FYI: Remote Server Administration Tools (RSAT) available for Windows = Vista SP1 see: http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/remote-server-adm= inistration-tools-rsat-adminpak-for-windows-vista-sp1.aspx --=20 Cheers,=20 (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx -------------------------------------------------------------------------= ----------------- * How to ask a question --> http://support.microsoft.com/?id=3D555375 -------------------------------------------------------------------------= ----------------- * This posting is provided "AS IS" with no warranties and confers no = rights!=20 * Always test before implementing! -------------------------------------------------------------------------= ----------------- ################################################# ################################################# -------------------------------------------------------------------------= ----------------- ------=_NextPart_000_003C_01C88ECD.499C2970 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.6001.18000" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DVerdana size=3D2> <DIV><FONT face=3DVerdana size=3D2><FONT size=3D1> <P>FYI: Remote Server Administration Tools (RSAT) available for Windows = Vista=20 SP1</P> <P></FONT></FONT><FONT face=3DVerdana size=3D2>see:</FONT></P></DIV> <DIV><FONT face=3DVerdana size=3D2><A=20 href=3D"">http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/remote-= server-administration-tools-rsat-adminpak-for-windows-vista-sp1.aspx</A><= /FONT></DIV></FONT></DIV><FONT=20 face=3DVerdana size=3D2> <DIV><BR>-- <BR><BR>Cheers, <BR>(HOPEFULLY THIS INFORMATION HELPS = YOU!)</DIV> <DIV> </DIV> <DIV># Jorge de Almeida Pinto # MVP Windows Server - Directory = Services</DIV> <DIV> </DIV> <DIV>BLOG (WEB-BASED)--> <A=20 href=3D"http://blogs.dirteam.com/blogs/jorge/default.aspx">http://blogs.d= irteam.com/blogs/jorge/default.aspx</A><BR>BLOG=20 (RSS-FEEDS)--> <A=20 href=3D"http://blogs.dirteam.com/blogs/jorge/rss.aspx">http://blogs.dirte= am.com/blogs/jorge/rss.aspx</A><BR>--------------------------------------= ----------------------------------------------------<BR>*=20 How to ask a question --> <A=20 href=3D"http://support.microsoft.com/?id=3D555375">http://support.microso= ft.com/?id=3D555375</A><BR>----------------------------------------------= --------------------------------------------<BR>*=20 This posting is provided "AS IS" with no warranties and confers no = rights! <BR>*=20 Always test before=20 implementing!<BR>--------------------------------------------------------= ----------------------------------<BR>###################################= ##############<BR>#################################################<BR>--= -------------------------------------------------------------------------= ---------------</FONT></DIV></BODY></HTML> ------=_NextPart_000_003C_01C88ECD.499C2970-- Tag: logging IP address of User who authenticates with AD. Tag: 125578
  - 19
    - Active Directory Specialist position available in Gaithersburg MD Hi My name is Firdosh Bhathena and I am a Technical Recruiter with Altek Information Technology Inc. We are looking for acandidate to fill the Active Directory Specialist position in Gaithersburg MD for our client Marriott International This is a long term contract position working for one of our direct clients. Attached is the job description for your reference ,please review the job description and let me know if you are interested . Job Description: *****WE ARE LOOKING FOR AN ENGINEER AS THIS POSITION IS NOT GEARED TOWARDS AN ADMINISTRATOR***** Experience: -Significant experience Administering Active Directory, with very large, multi-domained networks. -Significant experience Programming custom Maintenance/Migration/ Disaster Recovery Scripts and Tools for Active Directory. Core Skills: -VBScript (core language) -ADSI (Active Directory Services Interface, the primary API) -Automation of windows 2000 AD functions (user populations, group/ domain maintenance, bulk loading, DR) -Exchange (Scripting, troubleshooting, integration) -Knowledge of Meta directory structure and JNDI scripting -LDAP protocol (operations and syntax) (Non-proprietary protocol) Kerberos (Architecture, understanding) Please call me when you can to discuss this position in further details and email me a word copy of your resume at the earliest . Thanks Firdosh Bhathena Technical Recruiter ALTEK Information Technology, Inc. Main Number: 301-695-4440, Ext: 108 Cell Phone: 240-447-7742 Fax: 301-695-9390 Email: fbhathena@al-tekinc.com Website: http://al-tekinc.com "ALTEK is a WBENC Certified Women Owned Firm" Tag: logging IP address of User who authenticates with AD. Tag: 125575
  - 20
    - Allow access to registry key Hello, Windows 2003 Active directory Windows XP Pro I want to allow the standard user group be able to have access to a certain key in the registry. Currently Im getting an error "Access to the registry key 'HKEY_LOCAL_MACHINE\Software......' When I change the user access to power user group i dont get this error. Thanks for you help in advaance. Tag: logging IP address of User who authenticates with AD. Tag: 125573
  - 21
    - Query DHCP Lease Duration Information Hi, We want to query for the lease duration of a subnet scope on DHCP server remotely in our product. We don't have clue from where we can read this information in case DHCP server is present on windows 2003 platform. On windows 2000 server we read registry to find all the DHCP subnet information, but that information in not present in registry if DHCP server is on windows 2003 platform. Following things which we tried returned only half information. 1) DhcpGetSubnetInfo API returns only some information like subnet name, comment, and subnet mask. It doesn't give other information like IP range and Lease duration. 2) We tried using COM (DHCPObjs) object (present in Windows 2000 resource toolkit). But it doesn't give Lease duration. Is there any other way to find Lease Duration either through Registry, WMI, dhcp.mdb(DHCP database) or any other source? Any help would be appreciated. Thanks in advance. ~Somesh Tag: logging IP address of User who authenticates with AD. Tag: 125572
  - 22
    - Query DHCP Lease Duration Information Hi, We want to query for the lease duration of a subnet scope on DHCP server remotely in our product. We don't have clue from where we can read this information in case DHCP server is present on windows 2003 platform. On windows 2000 server we read registry to find all the DHCP subnet information, but that information in not present in registry if DHCP server is on windows 2003 platform. Following things which we tried returned only half information. 1) DhcpGetSubnetInfo API returns only some information like subnet name, comment, and subnet mask. It doesn't give other information like IP range and Lease duration. 2) We tried using COM (DHCPObjs) object (present in Windows 2000 resource toolkit). But it doesn't give Lease duration. Is there any other way to find Lease Duration either through Registry, WMI, dhcp.mdb(DHCP database) or any other source? Any help would be appreciated. Thanks in advance. ~Somesh Tag: logging IP address of User who authenticates with AD. Tag: 125571
  - 23
    - There must be an easy answer to this one.. How would i export all avilable attributes (be they populated or not) for a user object? I can view them by scrolling through an accounts properties in ADSI Edit, but i'd like to have them in a single list i can view and make notations on. Even better would be a link that lists all the attributes along with an explanation for each one. ..But i'm not greedy, i'll settle for only the list at this point. Thanks in advance. Tag: logging IP address of User who authenticates with AD. Tag: 125563
  - 24
    - Error lsasvr 40690 Hi all, I have been having this error on one of our domain controler (cut and paste of the event at the end of the post). It's repeated every 1:30 to 2 hours and has been going on for 2 weeks. I have made an extensibe search both on microsoft website and google (web) and I couldn't find anything that apply to this error. I have also made a complete diagnostic of the server with dsdiag, netdiag, nltest and nothing comes out, all diagnostics indicate that the server is fonctionning correctly without any error. The IP configuration is correct, the account is not disabled or erase and at this point I can't figure out what is wrong or if I even need to be worriedÂ. One last thing, it as been a while since the server has been rebooted. I plan on doing it this afternoon and see if it makes a difference. Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 3/25/2008 Time: 1:20:41 PM User: N/A Computer: SHSJDC02 Description: The Security System detected an authentication error for the server ldap/shsjdc02.somewhere.intranet/somewhere.intranet@somewhere.intranet. The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to. (0xc0000072)". For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 72 00 00 c0 r..Ã? Tag: logging IP address of User who authenticates with AD. Tag: 125561
  - 25
    - export a list of all users including the value of the "pager" field Hi everyone, I want to export a list of all users including the value of the "pager" field, so that I can edit it with Excel for example. Does anyone know how to? Ithink it can be done with an LDAP query? Many thanks, Remco. Tag: logging IP address of User who authenticates with AD. Tag: 125560
- Next
  - 1
    - Adding Win2003 Server R2 to Non-SP Win2003 Server Domain Our sole DC is a W2003 Server without any service packs. The system partition is too small to allow me to SP this machine. I am planning on taking this machine down and replacing drives after I get this new machine up and running. OS on new machine is W2003 Server R2. The AD schema on the existing DC needs to be extended via ADPREP. Questions I have are can the AD Schema be extended regardless of the lack of SP's and does the server require a reboot after running ADPREP? Tag: logging IP address of User who authenticates with AD. Tag: 125553
  - 2
    - Are there any known problems making an existing fileserver second Helllo, i'm want to make my existing fileserver (Windows Server 2003) to a second domain controller. The first domain controller is a Windows Server 2003 R2. Are there any known problems in making an fileserver to a domain controller? Something i should keep an eye on making the fileserver to another DC? -- Thanks & Regards btbadmin Tag: logging IP address of User who authenticates with AD. Tag: 125551
  - 3
    - "Ghost" DC Still Showing Up I'm trying to eliminate AD replication problems we're having. After searching various forums I ran the LDIFDE utility and came back with the following results. My problem is that this server (ghostserver) does not exist anymore. The machine was demoted and removed from the domain several weeks ago. How can I delete this entry? Any help would great be appreciated. dn: CN=ghostserver\0ACNF:ea976bf3-fb37-4de8-b027-94ee547cfe52,OU=Domain Controllers,DC=child,DC=domain,DC=com changetype: add servicePrincipalName: exchangeAB/ghostserver.child.domain.com servicePrincipalName: exchangeAB/ghostserver servicePrincipalName: ldap/ghostserver.child.domain.com/child servicePrincipalName: ldap/ghostserver servicePrincipalName: ldap/ghostserver.child.domain.com servicePrincipalName: ldap/ghostserver.child.domain.com/child.domain.com servicePrincipalName: ldap/0b91889b-c4e5-4a69-a1e6-8cffd0949456._msdcs.domain.com servicePrincipalName: HOST/ghostserver.child.domain.com/child servicePrincipalName: HOST/ghostserver.child.domain.com/child.domain.com servicePrincipalName: GC/ghostserver.child.domain.com/domain.com servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/0b91889b-c4e5-4a69-a1e6-8cffd0949456/child .domain.comservicePrincipalName: NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ghostserver.child.domain.comservicePrincipalName: HOST/ghostserverservicePrincipalName: HOST/ghostserver.child.domain.com Tag: logging IP address of User who authenticates with AD. Tag: 125546
  - 4
    - How to rename domain.com to domain.local? Hi there, I recently posted about was it wrong to use company-name.com as our Forest/Domain and should company-name.local be used. The suggestions were to use .local where possible but as we already have .com I have decided to leave it as everyone said it is OK if not causing problems. I don't actually want to do this or have any plans to but does anyone know how I would go about changing .com to .local and the impacts of doing so including downtime or problems. Thanks. Tag: logging IP address of User who authenticates with AD. Tag: 125532
  - 5
    - demote adc I want to demote my adc, when i try it using dcpromo it gives error like that the operation failed because: Active Directory could not transfer the remianing data in directory partition CN=schema, CN=Configuration, DC=netserv,DC=com to domain controller primaryserver.mydomain.com "The DSA operation is unable to proceed because of a DNS lookup failure" Do you hav any idea why it is caused by? Thanks Tag: logging IP address of User who authenticates with AD. Tag: 125516
  - 6
    - AD DNS Zone question - Dynamic Updates I had someone ask me a question the other day that I wasn't totally sure the answer to. Let's say you have an active directory dns zone, either integrated or primary, and you have dynamic updates turned off. So I realize that no clients will be able to update or create host records in the zone. However, let's say you make domain controller changes, such as bringing up a new DC and making it a GC. Will the SRV records be updated within the zone for the domain controller(s)? Tag: logging IP address of User who authenticates with AD. Tag: 125511
  - 7
    - Main differences between Enterprise CA and Standalone CA ? Hi, one people in my team has made a project with a standalone CA but we are thinking about installing an Enterprise CA as we are using Active Directory. We don't have any special needs actually but the advantage to have the Enterprise CA is the auto-enrollment so we would like to install it for the project and not anymore the standalone CA. My question is, what differences should we have to know about the installation of an Enterprise CA in place of a Standalone CA ? (or more exactly what default options should I have to change on the Enterprise CA to work as if I was using a Standalone CA?) For example, I am thinking about changing the default value of autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the certificate request status to pending). But is there anything else ? Thank you -- Pascal Tag: logging IP address of User who authenticates with AD. Tag: 125505
  - 8
    - Event ID 8003 on domain controller Hello, every hour i receive eventid 8003 on our domain controller. The master browser has received a server announcement from the computer <NAME OF OUR ISA Server 2006> that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B7545DFC-BA6C-4712-81. The master browser is stopping or an election is being forced. The hostname that is displayed in the error description is the hostname of our ISA Server 2006. How can i get rid of the error message? What is wrong here? Tag: logging IP address of User who authenticates with AD. Tag: 125504
  - 9
    - Replication NTDS Settings I have added additional DC to my domain. And replication process accomplished well, at least i guess it is well. I can see users, i have checked dns it is updated. Both old and new dns services have all and same entries. 1. But I can not see NTDS Settings entries to replicate now process in Sites and Services for my new server. What may be problem? Is it important? And also i have not checked global catalog server for new server. Can it cause this problem? 2. I want to ask another question. can there be two server which is checked as global catalog server in a single domain? or what should i do for this situation? 3. For last question, can i test for transfer roles from old one to newer one at this question? thanks Tag: logging IP address of User who authenticates with AD. Tag: 125500
  - 10
    - Active Directory login seems too fail, shares not corrensponding . Hello people, have abit of a problem, will try to explain below. (I am very new to this so go easy on me). We recently installed a new fiberoptic for WAN communication. In this process we changed our entire network subnet and ip scope. We have a different means of distributing ip-adresses to clients then we had before. Now, everything works fine up to the point when it comes to login in to server from a client. Login scripts, connections to shares - doesn't seem to register upon logon. Running from the server itself it looks fine, no problems there. If one tries to connect to a share from a client the message "networkpath could not be found .. " appears. I can ping the DC, works fine. Run nslookup (dns), works fine and such - but not get the shares to work / run login scripts from clients. Any ideas? I've basically given up on this because I really do not know what to look for or where to start. And it's really not in my job description either. Any help is appreciated. Best regards, T Tag: logging IP address of User who authenticates with AD. Tag: 125499
  - 11
    - Certificate Installation Hi I have to install certificates through Group policy in the following authority Trusted Root Certification Authority: Intermediate Certification Authority: Under the Group policy I am able to successfully import certificates in Trusted Root Certification Authority but I could not find the container for Intermediate Certification Authority Can any one suggest me how to import certifcates in Intermediate Certification Authority and apply the same through Group policy?? Thanks in advance regards Tag: logging IP address of User who authenticates with AD. Tag: 125498
  - 12
    - Empty Subject in outlook Can I prevent the userâ??s send any outlook mail to otherâ??s without subject by apply a group policy in AD .... Tag: logging IP address of User who authenticates with AD. Tag: 125496
  - 13
    - DCDIAG error When I run a DCDIAG on mij W2k3 server I get the following output: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\ZEUS Starting test: Connectivity The host b6b4dfa9-2dd1-47fd-8a80-24558752ee7f._msdcs.test.local could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc Although the Guid DNS name (b6b4dfa9-2dd1-47fd-8a80-24558752ee7f._msdcs.test.local) couldn't be resolved, the server name (zeus.test.local) resolved to the IP address (10.31.1.160) and was pingable. Check that the IP address is registered correctly with the DNS server. ......................... ZEUS failed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\ZEUS Skipping all tests, because server ZEUS is not responding to directory service requests Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : test Starting test: CrossRefValidation ......................... test passed test CrossRefValidation Starting test: CheckSDRefDom ......................... test passed test CheckSDRefDom Running enterprise tests on : test.local Starting test: Intersite ......................... test.local passed test Intersite Starting test: FsmoCheck ......................... test.local passed test FsmoCheck What can/must I do to correct this problem? Tag: logging IP address of User who authenticates with AD. Tag: 125493
  - 14
    - Retrieve Users in AD from SQL server Procedure Is it possible to reteive a group of users(not all ) from AD using an SQL query? The users will be placed under folder structures like F1, F2 and i need to extract only those users in F1 and F2. Thnx Tag: logging IP address of User who authenticates with AD. Tag: 125492
  - 15
    - NTDS KCC 1308 Seems like I have some issues with replication... I have an exisiting W2k domain and I have added a secondary DC running W2003 R2 to the domain. Here is the error message I'm receiving on the new secondary DC running Windows 2003. Source: NTDS KCC Category: Knowledge Consistency Event ID: 1308 The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed. Attempts: 20 Domain controller: CN=NTDS Settings,CN=name,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain name,DC=com Period of time (minutes): 129 The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed. Any ideas? /Adde -- fantamejthisisgoodvarjedag Tag: logging IP address of User who authenticates with AD. Tag: 125489
  - 16
    - Network Infrastructure Hi Guys, Hope Im in the right group. Im in a stage of fixing my network. This is my current setup. 1. I have an active directory server, which is mydomain.com, wherein also my DNS and DHCP is located. 2. My subnet is 255.255.255.0 This is my idea. 1. Have these servers: (Need suggestions on these) a. AD Server with DNS Server - is this a good practice? b. DHCP Server with ISA Server - is this a good practice? Other concern: I want my network to have access limitations. Here is a scenario. 1. In our network, only managers can use their laptop to access our network and internet. It can be wired or wireless. Unauthorized laptop should or must not access our network. But from the way the network was setup, they can access it through wire. I can filter the wireless using MAC Address filter from the routers. But if they connect through wire and know how to config TCP/IP they can easily access our network. Can this be avoided through ISA? Is there a way to filter MAC Address through Active Directory? Hope you can help me on this. Thanks in advance. Allan Tag: logging IP address of User who authenticates with AD. Tag: 125487
  - 17
    - Logon as a service, batch job, and act as part of the operating system? Gurus, You know when you install a third-party application which need a domain-level service account to run, and you install the service and then during or after the installation when you tell the service who to log on as, a dialog box pops up and says "XXX service has been given the following rights: ..." I forgot what those rights were. Aren't they: Logon as a service Logon as a batch job Act as part of the operating system? -- Spin Tag: logging IP address of User who authenticates with AD. Tag: 125483
  - 18
    - Parent - Child Domain Trust Relationship - Cannot modify trust Hello, I am not able to modify my trust relationship between a child and parent domain. AD Domains and Trusts setup a two-way Transitive trust - shortcut relationship. I do not want the parent domain trust the child, I do not want users in the child domain to have access to the parent (one-way trust), but the Remove button is grey out and I cann't add a trust because one already exits. There appears to be no option to modify the settings. Second, I attempted three times to create this child domain using Microsoft Docs, it never worked. It doesn't create the child domain zone file, Even though the DNS test during the Child's dcpromo tested good. http://technet2.microsoft.com/windowsserver/en/library/e3f241b5-82a0-4c24-a56a-bfc00ce1b5c21033.mspx?mfr=true After the child domain was created, replication failed due to DNS failure. I ended up manually configuring DNS an setup the Child with DNS delegation. I assume this the only way it will work? I don't know if the problems are related to modifing my trust relationship now. My DNS and DS error event logs went away. http://support.microsoft.com/kb/255248 Thank you for your help. Don Tag: logging IP address of User who authenticates with AD. Tag: 125482
  - 19
    - .adm file Can anyone explain how to create a .adm file? I tried to follow text on: http://download.microsoft.com/download/1/7/2/1725520f-1228-4dff-9c5d-594042475844/regpolicy.doc but it does not make sense. Ehat I have tried so far is to copy and paste from: http://support.microsoft.com/kb/555324 and save it as .adm. But it does import in Group Policy Editor. Tag: logging IP address of User who authenticates with AD. Tag: 125476
  - 20
    - AD/LDAP without the DC? Is it possible to have a live replica of an AD domain without serving as a domain controller? For various reasons (mostly management concerns) we would like to dedicate a server for LDAP queries, but not have the system availble for authentication. We thought about using a DC in a seperate site, but with replication taking 15 minutes between sites (we're still in a Win2K functional level), mgt really didn't like that option. Thanks in advance. Tag: logging IP address of User who authenticates with AD. Tag: 125474
  - 21
    - Lose Authentication Hey, A small problem I've been having lately is that users who are logged on to the domain seem to lose their authentication randomly. They'll suddenly be asked for their password when viewing their e-mail (exchange setup), they can no longer access network drives, and need to reboot 3 times or so until they can even log back into windows after logging out. We have a very simple setup, 2 AD servers with about 20 client machines. I don't beleive is a replication issue or anything like that, but I'm not sure where to even start checking for this issue. Does anybody have any ideas? The server is running Windows 2k3 and the client machines are running Windows XP SP2 (both have the latest updates/hot fixes). Any guidance on where to start trouble shooting would be really appreciated! -Prateek Tag: logging IP address of User who authenticates with AD. Tag: 125462
  - 22
    - Is it possible to add the Domain "Administrators" group to a local Is it possible to add the Domain "Administrators" group to a local adminstratos group on a server? If not, what is the best we to create a group that we can add to local administrators groups on our servers for users who are in a trusted domain? Tag: logging IP address of User who authenticates with AD. Tag: 125461
  - 23
    - Rename DC Hi, The Windows 2003 MCSE Self Paced Training Kit says in order to rename a domain controller you have to use NETDOM.EXE (p.4-19). Is this necessary or can I just rename the DC and reboot? When it comes back up and starts the netlogon service won't it just re-register its SRV records in DNS/AD? Thanks. Riley Tag: logging IP address of User who authenticates with AD. Tag: 125460
  - 24
    - Disaster I redirected My Doc and Desktop folders of my users on my server but faced problems and then i redirected them back to the local user profile but now there is no option in their computers to change the path of My Documents to another drive. "Grant the user Exclusive Rights" option is still selected. Can anybody tell me what is the proper way to revert all the settings? Thanks! Tag: logging IP address of User who authenticates with AD. Tag: 125447
  - 25
    - Domain Controller backup This is a multi-part message in MIME format. ------=_NextPart_000_02C0_01C88DBC.1CF44E00 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Hi All I know this may not be practical but I hope someone can advise on my = issue. What has to be backed up from a DC if the domain only has a = single DC in order to recover in case of any failure to that only DC ? = Can a daily backup fully recover the AD at a restore point ? Thanks Johnny ------=_NextPart_000_02C0_01C88DBC.1CF44E00 Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dbig5"> <META content=3D"MSHTML 6.00.6000.16609" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hi All</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I know this may not be practical but I = hope someone=20 can advise on my issue.  What has to be backed up from a DC if the = domain=20 only has a single DC in order to recover in case of any failure to that = only DC=20 ?  Can a daily backup fully recover the AD at a restore point=20 ?</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Thanks</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Johnny</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_000_02C0_01C88DBC.1CF44E00-- Tag: logging IP address of User who authenticates with AD. Tag: 125443

I have been tasked with building a small solution that will log the IP
address whenever an Active Directory server authenticates a User.

I know that this capability is not "built in" to Active Directory. But
is there a plugin architecture or something else I can tap into to
build this with .NET or some other programming language?

This must be a server side solution, not client side.

Top

RE: logging IP address of User who authenticates with AD. by ZiadKChafi

ZiadKChafi
Thu Mar 27 02:29:02 PDT 2008

You can enable logging using group policy, just edit the Default Domain
Controllers Policy GPO, go to Computer Management\Windows Settings\Security
Settings\Local Policies\Audit Policy and enable the Audit Logon Events (you
can choose to log successfull or unsuccessfull event) and then you can review
the logs using event viewer
--
Ziad K. Chafi
CompTIA A+, CompTIA N+, MCP, MCDST, MCAS: S, MCSE: S, MCDBA, MCTS, MCT

"mom" wrote:

> I have been tasked with building a small solution that will log the IP
> address whenever an Active Directory server authenticates a User.
>
> I know that this capability is not "built in" to Active Directory. But
> is there a plugin architecture or something else I can tap into to
> build this with .NET or some other programming language?
>
> This must be a server side solution, not client side.
>
>

Top

Re: logging IP address of User who authenticates with AD. by Richard

Richard
Thu Mar 27 08:05:47 PDT 2008

"mom" <jamesd@ring4freedom.com> wrote in message
news:a30582e7-d32e-4ff5-bf71-6c28109996be@s50g2000hsb.googlegroups.com...
>I have been tasked with building a small solution that will log the IP
> address whenever an Active Directory server authenticates a User.
>
> I know that this capability is not "built in" to Active Directory. But
> is there a plugin architecture or something else I can tap into to
> build this with .NET or some other programming language?
>
> This must be a server side solution, not client side.
>

If it helps, I have used logon scripts to track which computers are used by
which users, including IP addresses. I have an example linked here;

http://www.rlmueller.net/Logon5.htm

This only logs the IP address if the logon script runs. If all of your
clients are newer, you can use one of the other methods linked here to
retrieve the IP address in a logon script:

http://www.rlmueller.net/PingComputers.htm

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

Top