question about GPO in domain 2003

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - win 2003 ADS Password change I setup a win 2008 ADS Domain with 2 DC's/DNS & 2 Member machines. The 1st DC plays all FSMO roles. Then I disconnected the 1 DC from the network & logged on from my Member machines to the domain as enterprise admin. I was authenticated by the 2nd DC that was availiable. I then attempted a password change of my enterprise admin AC from my member machine & i was allowed to change the password. Later I brought the 1st DC in the network . Now I could logon as enterprise admin from any of my member machine with the old enterprise admin pwd as well as the new pwd [Strange]. With the old pwd the 1st Dc authenticates me & with the new pwd the 2nd Dc authenticates me. This shouldnt be the case. Could someone explain the strange behaviour? Tag: question about GPO in domain 2003 Tag: 128085
  - 2
    - One DC has died. How to remove it from the DC quorum? One of our 3 DC's has died. How can we demote/remote this DC from Active Directory? Thanks. Tag: question about GPO in domain 2003 Tag: 128074
  - 3
    - Migration inter-forests I have to move users , workstations and security groups from a win2k3 domain to another corporate w2k3 domain (already trusted 2 ways).Servers will not be migrated. Users are really few (35-40) so I would like to know if I can find white papers or simple tools (Quest migration is too complicate) to perform the migration even manually. New users should go on accessing shared resources on a file server of the old domain. Exchange will also remain on the old domain for the moment. TIA Tag: question about GPO in domain 2003 Tag: 128073
  - 4
    - Changing from Novell to Active Directory We have recently done a major system overhaul and changed from using Novell to usin Server 2003 with AD. It has all gone smoothly except for one constant problem on a small number of machines. We are an educational facility and becuse of this the computers the students useare protected using protection cards that return the computers to their previous state at reboot. Even though changes have been saved to the cards and the computers have been accepted as part of the AD network every couple of weeks a few of the computers give a message of not being recognized by the network and the only way to bypass this is by entering as a local administrator and in properties of my computer reassigning the computer to the network(that is to say if the network is called MS it shows in the network tab of the properties as MS.LOCAL so by deleting it you are requested to enter name and password of the network administrator) The computers that are having the problem are all running Win 2000 with one exception that is a computer running XP. ALL the other computers have no problems. We are talking about between 5 - 10 computers here where there are other machines exactly the same make and OS with the same protection cards that have no problems( Approx 15 machines with Win 2000 and about 80 - 100 with XP) Any ideas? Tag: question about GPO in domain 2003 Tag: 128070
  - 5
    - test domain completely offline.. help I just made the biggest mistake ever... here's the situation. I have a test domain(4 DC's across two sites..) I had everything working properly(replication and whatnot) and the vmware esx server that hosted the DC's in my boston site crashed. I had to rebuild and the time ended up being off... I didn't notice this, or notice the replication errors... until after I raised the functional level last night from mixed 2000 to native 2000.. I figured maybe it was something else and let the dc's run overnight.. nothing changed. I just realized that it was a time issue so I fixed the time on the DC's in boston(the dublin DC's were perfectly fine in terms of time..) My dc's from boston jumped from 11/17/2007 to todays date and time(EDT..).. the stupid thing that I did was rebooted all 4 DC's... Now I'm screwed.. I can't RDC into any of them.. and on a console I can log in but I can't do anything AD related. If I open ADI.msc I was getting "the specified domain does not exist or could not be found" and I couldn't manage the domain. DNS was also offline(adi integrated..) I just checked again on the DC that holds the FSMO roles and I can see the domain from the snapin.. as well as the other dc's.. but DNS is still offline. My guess is that the time jump royally screwed everything up. I can RDC into my remote DC's now so that's a better sign.. I just have to figure out why DNS isn't working. I suppose this more turned into a cry/rant than a question, but if anyone has ever experienced similar.. and would like to share.. by all means.. Tag: question about GPO in domain 2003 Tag: 128062
  - 6
    - 2k DC tombstoned what is the best way to recover a recently tombstoned W2k DC? This DC is a does not contain any FSMO roles. The domain functional level is 2k Native. It is a distributed environment conatines 2k and 2k3 DC's. thanks. Tag: question about GPO in domain 2003 Tag: 128033
  - 7
    - One DC cannot boot up due to Directory Services failures We have 3 DC's in our domain. For one of them, we get the following error upon startup: Directory Services could not start because of the following error: The system cannot find the file specified. Error status: 0xc000000f. Please click Ok to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detail information. We've booted into DS Restore mode, and tried to recover the AD db manually, but also get errors with that: esentutl /r C:\Windows\NTDS\ntds.dit --> Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API parameter) after 0.15 seconds. What can we do to resolve this problem on that DC? If not, can we demote that DC from one of the other DC's? Is it as simple as deleting the server from "Domain Controllers" in ADUC? Thanks in advance, Derek. Tag: question about GPO in domain 2003 Tag: 128029
  - 8
    - ADAM Replica ISSUE I had installed ADAM on a master replica topology. I chose a domain account for the service to use to logon and made that user an admin of the server that ADAM was running on. I noticed on one of our DC's that I was getting a KCC error message for one of the ADAM servers. The event ID was Event Type: Error Event Source: KDC Event Category: None Event ID: 11 Date: 5/2/2008 Time: 10:56:59 AM User: N/A Computer: DC2 Description: There are multiple accounts with name E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/SSERVICE-VM.pennmutual.com:30000 of type DS_SERVICE_PRINCIPAL_NAME. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I disjoined the machine from the domain, deleted the computer account and then rejoined it to the domain and started the ADAM service with the same doman user account. The service started and was working but replication failed to the replica. I woul dlike to correct this without having to remove ADAM and start over again. Can I just delete the replication objects and force the KCC to rebuild the topology? If I have to uninstall ADAM and start over how do I force it to remove the replica? Please advise... Tag: question about GPO in domain 2003 Tag: 128023
  - 9
    - Secondary DC not registering in DNS I have an active directory domain runnin all Win2003 servers with service pack 2. In this domain I have two DCs. The first domain controller which was also the first DC created in the domain is working fine and has all the proper DNS records. The second DC seems to be working find and I am able to ping it, however, if I take down the first DC I get errors from exchange and other servers saying that a global catalog server is not available. I checked and the second DC is acting as a global catalog but for some reason is not seen when the first DC is taken offline. I ran DCDiag (results are below) and it failed the connectivity test. I thought this was due to DNS entries in the _msdcs section of the forward lookup zone. I am not sure how to fix this. I did note that within the dc section of the msdcs zone only the main DC is listed. This is also apparent in other sections like the gc folder. Has my second DC failed to add it records or is something else going wrong? Any help in this matter would be greatly appreciated Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine arrowdc02, is a DC. * Connecting to directory service on server arrowdc02. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\ARROWDC02 Starting test: Connectivity * Active Directory LDAP Services Check The host 4ac30e94-0571-42d1-8ee5-e518d1e08079._msdcs.arrowheaddental.com could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc Although the Guid DNS name (4ac30e94-0571-42d1-8ee5-e518d1e08079._msdcs.arrowheaddental.com) couldn't be resolved, the server name (arrowdc02.arrowheaddental.com) resolved to the IP address (192.168.9.12) and was pingable. Check that the IP address is registered correctly with the DNS server. ......................... ARROWDC02 failed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\ARROWDC02 Skipping all tests, because server ARROWDC02 is not responding to directory service requests Test omitted by user request: Topology Test omitted by user request: CutoffServers Test omitted by user request: OutboundSecureChannels Test omitted by user request: VerifyReplicas Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : arrowheaddental Starting test: CrossRefValidation ......................... arrowheaddental passed test CrossRefValidation Starting test: CheckSDRefDom ......................... arrowheaddental passed test CheckSDRefDom Running enterprise tests on : arrowheaddental.com Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... arrowheaddental.com passed test Intersite Starting test: FsmoCheck GC Name: \\arrowdc02.arrowheaddental.com Locator Flags: 0xe00001fc PDC Name: \\arrowdc01.arrowheaddental.com Locator Flags: 0xe00003fd Time Server Name: \\arrowdc02.arrowheaddental.com Locator Flags: 0xe00001fc Preferred Time Server Name: \\arrowdc01.arrowheaddental.com Locator Flags: 0xe00003fd KDC Name: \\arrowdc02.arrowheaddental.com Locator Flags: 0xe00001fc ......................... arrowheaddental.com passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS -- Darius Sanders -- Darius Sanders Tag: question about GPO in domain 2003 Tag: 128018
  - 10
    - ADAM question Hi, I am new to using ADAM, actually it just got dumped in my lap from a layoff. OK, so the scoop is we have an ADAM server setup, it is NOT connected to our domain but rather a test domain. After further investigation there is no DC in this so called "test domain". Now heres the question. Do we need to have a DC setup in a test domain to have ADAM work? From everything i have been reading today ADAM uses domain accounts, right? So in order to get this software to work it needs to be joined to a domain correct? My apologies for what seems to be an ignorant question. -- fritzkracker ------------------------------------------------------------------------ fritzkracker's Profile: http://forums.techarena.in/member.php?userid=48018 View this thread: http://forums.techarena.in/showthread.php?t=960841 http://forums.techarena.in Tag: question about GPO in domain 2003 Tag: 128016
  - 11
    - Server 2008 and AD problems I've recently installed a Server running 2008 Std Ed. I made it a DC/GC with DNS & WINS. I was checking replication from this server and receive the following: C:\Windows\system32>repadmin /kcc Repadmin: running command /kcc against full DC localhost Default-First-Site-Name Current Site Options: IS_GROUP_CACHING_ENABLED DsReplicaConsistencyCheck() failed with status 8453 (0x2105): Replication access was denied. C:\Windows\system32>repadmin /syncall CALLBACK MESSAGE: The following replication is in progress: From: d11a3242-06a5-468c-9d10-ca94e5398015._msdcs.domain.com To : 14e4cac2-4c16-4833-bf09-2420b554546e._msdcs.domain.com CALLBACK MESSAGE: The following replication completed successfully: From: d11a3242-06a5-468c-9d10-ca94e5398015._msdcs.domain.com To : 14e4cac2-4c16-4833-bf09-2420b554546e._msdcs.domain.com CALLBACK MESSAGE: The following replication is in progress: From: 14e4cac2-4c16-4833-bf09-2420b554546e._msdcs.domain.com To : 7883f05f-3bae-49f1-a0ed-a2f23927e132._msdcs.domain.com CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105): Replication access was denied. From: 14e4cac2-4c16-4833-bf09-2420b554546e._msdcs.domain.com To : 7883f05f-3bae-49f1-a0ed-a2f23927e132._msdcs.domain.com CALLBACK MESSAGE: The following replication is in progress: From: 2a678948-4537-4719-aab0-093b92baa145._msdcs.domain.com To : 7883f05f-3bae-49f1-a0ed-a2f23927e132._msdcs.domain.com CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105): Replication access was denied. From: 2a678948-4537-4719-aab0-093b92baa145._msdcs.domain.com To : 7883f05f-3bae-49f1-a0ed-a2f23927e132._msdcs.domain.com CALLBACK MESSAGE: SyncAll Finished. SyncAll reported the following errors: Error issuing replication: 8453 (0x2105): Replication access was denied. From: 14e4cac2-4c16-4833-bf09-2420b554546e._msdcs.domain.com To : 7883f05f-3bae-49f1-a0ed-a2f23927e132._msdcs.domain.com Error issuing replication: 8453 (0x2105): Replication access was denied. From: 2a678948-4537-4719-aab0-093b92baa145._msdcs.domain.com To : 7883f05f-3bae-49f1-a0ed-a2f23927e132._msdcs.domain.com Any idea as to why I would get an 'Access Denied' when running these checks? Mike Tag: question about GPO in domain 2003 Tag: 128014
  - 12
    - gpinventory how can i use gpinventory.exe which i downloaded from microsoft website? when i run, it says you should put this file with wmiqueries.xml. but i can not find this file. and how can i run gui version? when i try to connect with rsop from mmc it says wmi service is not running on client altough i have run this? Thanks Tag: question about GPO in domain 2003 Tag: 128011
  - 13
    - Deleted a Domain Controller, now what? Hello Everyone, I inadvertantly deleted the WRONG domain controller out of Active Directory the other day. Does anyone have advice on the proper way to get promote this server to a Domain Controller again? Can I demote/promote or will it bomb out when attempt either action? Thanks in advance for any advice... stupid move here that might end up being a LOT of work... Thanks, Sean Tag: question about GPO in domain 2003 Tag: 128009
  - 14
    - RPC_S_CALL_FAILED_DNE WE have 3 DCs with domain based DFS. for some reasons DFS replication is not successful. I run FRSDIAG and got 3 RPC_S_CALL_FAILED_DNE error. I check RPC mapper error for port 135 (with portqry.exe) and it display 110 results. I am not sure that to do to make replication successful? PLease help Tag: question about GPO in domain 2003 Tag: 128008
  - 15
    - ADAM Replication We have built an ADA repositiory and a replica of it on another machine They are the only two instances with in the same site. I have increased the scheduled replication to four times per day. I have been adding objects to the master ADAM instance and see a lag of about a minute before I see the object in the replica residing on another server. Is there a way to make adam replicate faster than that? Please advise... Tag: question about GPO in domain 2003 Tag: 128005
  - 16
    - Resyncing AD Hi, I have a situation. I just got customer who had deployed 2 2K3 AD and had it sync with each other in the local office. however, they split the network between 2 sites and have been making changes on both sites. thus now both site have different database. this has been going on for a while and they did not connect the 2 sites together, thus the AD is not sync. Question: If they connect the network together now and tried to sync the 2 AD, will the different changes made on both AD be sync to each other thus have a single database again? Thanks. Gilbert Tag: question about GPO in domain 2003 Tag: 128002
  - 17
    - AFDS, Domain trust or other? Hello all, I'm falling in a strange question. I've an exchange systems in my domain. Using this exchange system I give a service to my customers outsourcing the exchange. Now, I've to sell this service to another customer. This customers do not want for privacy/security/other reasons to trust its own domain with my one but want to use for every user in its domain the local credential to logon to my exchange service thought outlook and thought owa. If I can use trust googling around I've found AD Federation services, but seems to be that this systems works only for web applications. This can be good for OWA but is unusable for Outlook client. There's another trick to solve this? Thanks Stefano Tag: question about GPO in domain 2003 Tag: 128001
  - 18
    - Ports & Services & Security I'm looking for documentation that links services to ports for security reasons. This is coming for a *nix guy whose only been able to piecemeal/guess-n-check listening & open ports with several netstat tests. One test crippled AD because I had disabled one too many services! (luckily it was a test server). Something like /etc/services for Windows would be grande ... :) Tag: question about GPO in domain 2003 Tag: 127999
  - 19
    - homepage from gpo i have changed homepage of all users from gpo -> user conf -> administrative -> windows comp. ->internet explorer to specific web site which is located locally. some users have updated this new policy but some others polcies can not be changed. Only change is changing homepage is disabled. How can i force all domain users have affected this new policies? Thanks Tag: question about GPO in domain 2003 Tag: 127997
  - 20
    - Problem deleting an unknown object in a group Hi, We have a problem with our A.D. We have 9 DC in 8 different sites. All DC are W2K3 Std R2 SP2 with all hotfixes. Domain functionnal level is Windows Server 2003. We have a GPO that use Restricted Groups to set members of the Built-In Administrators group. We have an event in Application Event Log on all DC. SceCLI event #1202 : "Security policies were propagated with warning. 0x4b8 : An extended error has occurred." I've enabled debug logging for the Security Configuration client-side extension and I have found this error in Winlogon.log : remove SID: S-1-5-21-1047738115-132384186-1539857752-500. Error 1377: The specified account name is not a member of the local group. error removing SID: S-1-5-21-1047738115-132384186-1539857752-500. This SID is an object from a trusted domain. The trust has been deleted and we forgot to remove it from the GPO before deleting the trust. When I go directly to the Administrators group and I try to delete the member manually, I receive this warning after clicking on Apply : The object is no longer a member of this group. It may still appear due to standard delays in replication between domain controllers. I've done this yesterday and I have this message again this morning, so I know it is not a replication delay. In the ForeignSecurityPrincipals container, I can see the object. Ca I delete the object directly in this place ? Will this result in removing the object from the Administrators group ? Can this cause other issue ? If yes, what should I do to remove the object from the Administrators group ? Thank you very much, Dominic Tag: question about GPO in domain 2003 Tag: 127987
  - 21
    - Licensing Computer for each site? Hi all, I run a Win2K3 domain. I noticed that you can choose a Licensing Computer for each site. I have never configured one for any of my sites including the default one. What is it for? Do I need to set one up? We are using per-device licensing. But the only thing I have ever done is choose the per-device radio-button when installing a server and thats it. Any help is appreciated, thanks. Robert Tag: question about GPO in domain 2003 Tag: 127982
  - 22
    - AD Sites And Services I have set up three sites for our three DCs. I have moved each of the DCs to the correct site, Default-First-Site-Name to Site A, Site B, Site C for DC A, DC B, and DC C. Now can I delete the Default-First-Site-Name without any issues? TIA John Tag: question about GPO in domain 2003 Tag: 127975
  - 23
    - ADAM Space Usage I recently received a notification from our Server Administrators that the available space on an ADAM server is running low. I have been monitoring the server and noticed that the size of the .dit file has not changed for several days, eventhough we add hundreds of records a day. How is storage allocated to ADAM? Does ADAM allocate blocks of storage, uses it as it seams fit and grabs additional blocks when it determines it is running low? If so, how much does it allocate at a time, xx kb, yy%? Tag: question about GPO in domain 2003 Tag: 127970
  - 24
    - Primary restore on differente hardware Recently I've attempted to perform a Windows Server 2003 DC Primary Restore, originally installed on an HP Proliant ML310 server - PIV 2,4 GHz - N.2 SCSI Disk - N. 2 Nic - 512 MB RAM, on a new HP Proliant ML110 G5 server - Pentium 1,8 GHz Dual Processor - N. 2 SATA Disk - N.2 NIC card - 512 MB RAM. But when the restore was completed (using NTBackup) and the new server was restarted was impossible to use mouse or keyboard that where completly inactive. Then I've restarted the server in safe mode but mouse and keyboard was inactive too. I've tried to use USB mouse and keyboard (not PS2) but the result was the same. At this point I've finded on microsoft KB that this is a problem related to different hardware on the two server and was suggested to perform an "upgrade on place" of the Operating System by the original CD. By this way it was possible to restore the server. But the question is: for the next years, having on my networks (I'm a Network consultant for many Companies and SMB) many servers 4-5 years old (as the Proliant ML310) when they well be too old or irremediably damaged well be possible to restore their system on new (very different) servers? Thanks in advance. Ing. Cosimo MERCURO Tag: question about GPO in domain 2003 Tag: 127969
  - 25
    - Locate the computer by using login ID information Hi, I want to know how to search for the computer name in an AD when I have only user login ID information on hand. No WINS, only DHCP and DNS. Any idea? Thanks in advance. Pakeon Tag: question about GPO in domain 2003 Tag: 127964
- Next
  - 1
    - Is there a restriction on number of characters for user name Can someone please confirm if there is restriction of number characters for user name. User has 23 characters in username (firstname.lastname) and can't login, however user is able to login with using first 20 characters. Many thanks Tag: question about GPO in domain 2003 Tag: 127963
  - 2
    - windows 2000 mixed to windows 2000 native question I'm about to promote my domain to windows 2000 native and had a few questions. We have 6 domain controllers.. 4 windows 2000 SP4 and 2 windows 2003 (one is r2 sp2..) the other I believe is just win2k3 sp2. I just finished cleaning up the AD metadata with ntdsutil for all our old DC's that don't exist. We have no NT4 machines in our domain(all are 2000+).. I've read that I initiate the change from the DC that holds the FSMO and pdc emulator roles... so im clear on that.. what im not clear on is.. I read someplace that "all DC's need to be rebooted after they display "native mode" after the domain level is raised on the PDC emulator." I've been working on this sporadically... so it is entirely possible that I dreamt this one night during an AD nightmare... I just spent an hour trying to find this blurb on the net.. and I can't which is why I think I dreamt it.. any thoughts there would be appreciated.. When I raise the domain functional level to windows 2000 native.. will the forest functional level automatically be raised? or do I need to raise that separately? Will it really be as simple as raising the level on my one win2k3 DC(which is the fsmo/pdc emu dc..) and just watching replication occur? I think I'm over exciting myself for this and looking for crazy things to happen when it should be a non-event. Tag: question about GPO in domain 2003 Tag: 127959
  - 3
    - Exchange Settings Folder (Sorry that I have to post here as I posted it to exchange admin already. I do not know how to link the post.) Hi all, Today, I open Active Directory Sites and Services and found Exchange Settings folder under the first windows2K DC of servers of sites. Exchange settings shows 0 objects. Is Exchange Settings folder supposed to be in the AD sites and settings? Can I delete it since it shows 0 objects? Just wonder: I switched all roles to Windows 2003 DCs and why it shows under the first windows 2000 DC? (windows 2003 and windows 2000 mixed DC envir.) Thank you. Tag: question about GPO in domain 2003 Tag: 127947
  - 4
    - Users denied access to their folders I'm running Windows 2003 Server with Active directory and using folder redirection to a network share for their My Documents folders. The security is set to them having full access priveleges to their own folder. About 4 months ago, users have started to be denied access to their folders...this seems to be random. We have multiple users that use common computers. When I look at their home folders, the permissions that have disappeared vary. I've tried everything I can think of..even lag times but nothing seems to be working. Does anyone have any ideas? -- Leisha Tag: question about GPO in domain 2003 Tag: 127946
  - 5
    - Migrate Active Directory from Win2k to Win2003 I have an older server (Win2k) that has all 5 FSMO roles at the moment. I would like to move these roles to a new Win2003 server that is already joined to the domain. I have already run the adprep / forestprep and adprep /domainprep on teh older server using the 2003 disk. I tried soon after to add the new server as a secondary DC but it still gives me an error. Did I just not wait long enough for the changes to populate? I did not receive any errors through either domainprep or forestprep. And to continue, if enough time passes and it allows me to add the Win2003 server as a secondary DC, I then just need to promote it once I verify all the AD data has moved properly? Tag: question about GPO in domain 2003 Tag: 127943
  - 6
    - Scripting add users from file Hi, I want to put in place a facility where a member of staff can add users which are listed in a spreadsheet into AD into specific OUs and Groups. Some users will need to be mail enabled but not all. What process would be quickest and most efficient to learn so I can achieve this? Should I use PowerShell, or vbscript or is there something else I should be using, perhaps a combination of apps are required. Please only suggest free tools, and if possible an informatin resource for this task. I have limited programming experience, but also understand I am going to have to learn more about scripting to manage our AD infrastructure. Thanks in advance for your ideas. Pete. Tag: question about GPO in domain 2003 Tag: 127938
  - 7
    - Time Server Question - Please Help Dear All, I have a Windows 2003 Native domain with three domain controllers. In this example I will simply refer to them as DC1, DC2 and DC3. DC1 was originally the PDC Emulator for the domain after some rejuggling of the FSMO roles the PDC Emulator role was transferred to DC2. After running a DCDIAG I noticed that DC1 was still the preferred time server. I have since changed time server related registry changes on DC2 to match DC1 and stopped and started the time service on DC2 to reflect the changes. I have since run w32tm on DC1 to change the configuration on this original PDC Emulator. Now when I run DCDIAG on any of the three DC's I find DC2 is the preferred Time Server which is what I required. My question is though DC1 and DC3 still advertise as Time Servers is this desirable??? They do list DC2 as the preferred Time Server but it would appear they advertise as Time Servers themselves still. Can this cause issues? Or is it beneficial? If it isn't desirable can you explain how I remove this feature from them so DC2 is the only Time Server. Regards, Darren Tag: question about GPO in domain 2003 Tag: 127937
  - 8
    - Set Logon Server I have a 2003 domain with 2 DC's and they are both in the Default First Site. 1 in the main office holds all the roles and the other one is in a branch office is basically for logon purposes to cut WAN traffic. I did a SET command on a computer in the branch office and noticed that the logon server reported the one in the main office. I also have a remote office with 3 computers in it with no server and they come all the way back to the main server when they are closer to the branch office. IS there a group policy I can set to make them login to the closet server or do I have to create sites? If so - how do I get the remote office with 3 computers to log into the branch site? -- Thanks in Advance - Marcus Tag: question about GPO in domain 2003 Tag: 127934
  - 9
    - Win 2008 RODC in Win 2003 Domain We have win 2003 domain. since we have branch offices, so we want to take benefit of win 2008 RODC feature. we want to install win 2008 RODC for our branch offices. The question is, for RODC, do we need to also have a writable win 2008 domain controller in our domain or win 2003 DC would work in such case ?????? Second question is, what all steps do we need to take for introducing win 2008 RODC in our win 2003 domain. For your info. our forest n domain functional level is "Win 2003" Looking forward to your support. Tag: question about GPO in domain 2003 Tag: 127933
  - 10
    - Moving a certificate Authority Certificates are not my thing :-) I'm on a network that was a one DC forest a few years ago (Windows 2003 server, fully patched...). Certificate services were installed for internal use for EFS and then WSUS. NOw the network is expanded and there's a desire to use a VM DC and put certificate services on there instead. howver the standard migration process rquires the original server to be decommissioned or renamed. That cannot happen as it still host F&P and other stuff, that would a PITA to relocate now (and is not really needed!) So, I'm familiar with KB 298138 now, but this does not give me a "keep the old server". I guess it's impossible now, but just in case does anyone have knowledge out there that isn't on google or support? Thanks, Peter Tag: question about GPO in domain 2003 Tag: 127932
  - 11
    - Mapped drives and DFS shares Hi, due to the limitation of mapped drives what else can I use to map drives for users, as we have over 2o drives mapped, overall? Tag: question about GPO in domain 2003 Tag: 127928
  - 12
    - AD Sites and Services Design Question Hello, Here is my scnario. We have 2 Sever 2003 Native mode forests connected by a forest to forest trust. We'll call them USA and Asia. Users in Asia need to connect to resources in the USA forest. We have tested this and the Asia users are complaining of slow logons and authentication when they access the resources. To help alleviate this pain we have decided to put an Asia DC here in the USA. We already have the subnet that this domain controller will go in to defined here in the USA sites and services. Will it be a problem to define it again in the Asia Forest? My thoughts were no as this seems to be a per forest configuration and should not affect anything we already have configured. I just wanted to get some verifciation from some other professionals. Thanks in advance! Tag: question about GPO in domain 2003 Tag: 127926
  - 13
    - Security groups and Folder permissions Hello all, I have to clean up a mess made by a former administrator. I have many security groups defined in AD that I have been asked to go through review/cleanup. I was wondering if there is a utility that I can run against security groups that will list which folders they are providing permissions to. The goal is to eliminate any duplication or unnecessary security groups. I would hate to think the only way to get the information is to look at Sharing & Security permissions of every folder. Thanks Tag: question about GPO in domain 2003 Tag: 127925
  - 14
    - AD advanced search I am looking to get a list of all users that have a quote that is not the default store? Is there a way to search that in active directory or any free tools? Tag: question about GPO in domain 2003 Tag: 127917
  - 15
    - replication issue - event id 1988 Hi - I have 2 Windows 2003 Servers Standard on SP2 together on a local network. They are both DCs. ACCPAC is the problem DC it appears. ACCPAC's Active directory is not updating with SHPMSSERVER. I'm past the 60 day Tombstone Limit so I edited the registry to Allow Replication With Divergent and Corrupt Partner on ACCPAC. Now I'm getting lingering object errors (event id 1988) So I ran this command: repadmin /removelingeringobjects accpac. stanleyhotel.com 4c83796c-4928-4340-b0cd-3a4c3570b765 DC=stanleyhotel,DC=com RemoveLingeringObjects sucessfull on accpac.stanleyhotel.com. It says its successful but keeps reporting the 1988 error a few minutes later. Can any one shed some light on this issue? Thanks in advance. Here is the repadmin/showrepl command. repadmin running command /showrepl against server localhost Default-First-Site-Name\ACCPAC DC Options: (none) Site Options: (none) DC object GUID: 7ed498a2-8bfe-4cee-8c73-a9abe0fbacbb DC invocationID: dfe0a089-0e53-440f-9035-270d0dde8ac6 ==== INBOUND NEIGHBORS ====================================== DC=stanleyhotel,DC=com Default-First-Site-Name\SHPMSSERVER via RPC DC object GUID: 4c83796c-4928-4340-b0cd-3a4c3570b765 Last attempt @ 2008-04-30 19:40:25 failed, result 8606 (0x219e): Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected. 58606 consecutive failure(s). Last success @ 2008-02-04 14:32:51. CN=Configuration,DC=stanleyhotel,DC=com Default-First-Site-Name\SHPMSSERVER via RPC DC object GUID: 4c83796c-4928-4340-b0cd-3a4c3570b765 Last attempt @ 2008-04-30 18:59:13 was successful. CN=Schema,CN=Configuration,DC=stanleyhotel,DC=com Default-First-Site-Name\SHPMSSERVER via RPC DC object GUID: 4c83796c-4928-4340-b0cd-3a4c3570b765 Last attempt @ 2008-04-30 18:55:09 was successful. Source: Default-First-Site-Name\SHPMSSERVER ******* 58597 CONSECUTIVE FAILURES since 2008-02-04 14:32:51 Last error: 8606 (0x219e): Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected. Tag: question about GPO in domain 2003 Tag: 127914
  - 16
    - Group Policy and Office 2007 Are there any updates planned to be able to install Office 2007 with Group Policy? Tag: question about GPO in domain 2003 Tag: 127909
  - 17
    - Computers not in Active Directory printing to Active Directory print Hello all, I am lost on this one. Is there a way to have non Active Directory machines (XP) print to printers through an Active Directory printer server? Sort of like the print services for nix that allow unix machines to print through Active Directory. Does the print services for nix basicly turn the print server into a cups server for unix clients? Is there a way to set up XP machines to print that way? Are there any security settings that block this and if so can they changed to allow it? I understand that it would not very wise to allow anybody to print through Active Directory. Thanks for your help Tag: question about GPO in domain 2003 Tag: 127905
  - 18
    - Set MS Word Margins through GPO or otherwise Sorry if I posted this in the incorrect discussion group, couldn't find a good discussion group to post this question on. I have been asked if it's possible to create a GPO that sets the margins on MS Word 2003. I have installed the Word ADM on my Windows 2003 Server, but it doesn't look like its possible through the ADM. If anyone knows of a GPO on how to set the margins for MS Word, or someway of doing this please let me know. Thanks, Frank Tag: question about GPO in domain 2003 Tag: 127903
  - 19
    - Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B28 - Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B28 - Cheapest Watch Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B28 Link : http://www.watchesprice.net/Bulova-Marine-Star-Mens-100-Meter-Stainless-Steel-Watch-96B28-1456.html Cheap Watches Home : http://www.watchesprice.net/ Lower Price Bulova Brands : http://www.watchesprice.net/Bulova-Watches.html Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B28 --- one of best selling watches, it is crafted in high quality Watches. Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B28 Description: Features: ~Stainless Steel Case and Bracelet ~White Dial ~Date Calendar ~Luminous Hands and Hour Markers ~Water Resistant to 100 Meters ~ ~Unidirectional Rotating Bezel ~Mineral Crystal ~Japan Quartz Movement ~Deployment Clasp Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B28 Details: Watches-Price Sales Rank: #63396 in Watches Brand: Bulova Band material: stainless-steel Bezel material: stainless-steel Case material: stainless-steel Clasp type: deployment-buckle Dial color: White Dial window material: mineral Movement type: quartz Water-resistant to 100 meters The Same Bulova Series : Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B58 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-100-Meter-Stainless-Steel-Watch-96B58-1457.html Bulova Marine Star Mens 100 Meter Stainless Steel Watch 96B74 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-100-Meter-Stainless-Steel-Watch-96B74-1458.html Bulova Marine Star Mens 100 Meter Two Tone Watch 98B57 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-100-Meter-Two-Tone-Watch-98B57-1459.html Bulova Marine Star Mens 100 Meter Two Tone Watch 98B80 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-100-Meter-Two-Tone-Watch-98B80-1460.html Bulova Marine Star Mens 100 Meter Two Tone Watch 98C55 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-100-Meter-Two-Tone-Watch-98C55-1461.html Bulova Marine Star Mens 100 Meter Two Tone Watch 98H00 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-100-Meter-Two-Tone-Watch-98H00-1462.html Bulova Marine Star Mens Stainless Steel 100 Meter Watch 96G02 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-Stainless-Steel-100-Meter-Watch-96G02-1463.html Bulova Marine Star Mens Titanium 100 Meter Two Tone Watch 98G00 : http://www.watchesprice.net/Bulova-Marine-Star-Mens-Titanium-100-Meter-Two-Tone-Watch-98G00-1464.html Tag: question about GPO in domain 2003 Tag: 127902
  - 20
    - Bulova Watches, Bulova Ladies' Sport Marine Star Chronograph Two Tone Bulova Watches, Bulova Ladies' Sport Marine Star Chronograph Two Tone Mother of Pearl Dial Women's Watch - Cheapest Watch Bulova Watches, Bulova Ladies' Sport Marine Star Chronograph Two Tone Mother of Pearl Dial Women's Watch Link : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Chronograph-Two-Tone-Mother-of-Pearl-Dial-Womens-Wat-2207.html Cheap Watches Home : http://www.watchesprice.net/ Lower Price Bulova Brands : http://www.watchesprice.net/Bulova-Watches.html Bulova Watches, Bulova Ladies' Sport Marine Star Chronograph Two Tone Mother of Pearl Dial Women's Watch --- one of best selling watches, it is crafted in high quality Watches. Bulova Watches, Bulova Ladies' Sport Marine Star Chronograph Two Tone Mother of Pearl Dial Women's Watch Description: no Bulova Watches, Bulova Ladies' Sport Marine Star Chronograph Two Tone Mother of Pearl Dial Women's Watch Details: Brand: Bulova Band material: stainless-steel Bezel material: stainless-steel Case material: stainless-steel Clasp type: deployment-buckle Dial color: mother-of-pearl Dial window material: anti-reflective-sapphire Movement type: Quartz Water-resistant to 99 feet The Same Bulova Series : Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Bezel Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Bezel-Womens-Watch-2208.html Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Bezel Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Bezel-Womens-Watch-2209.html Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Bezel Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Bezel-Womens-Watch-2210.html Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Markers Diamond Bezel Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Markers-Diamond-Bezel-W-2211.html Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Markers Diamond Bezel Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Markers-Diamond-Bezel-W-2212.html Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Markers Diamond Bezel Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Markers-Diamond-Bezel-W-2213.html Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Markers Rotating Bezel Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Markers-Rotating-Bezel--2214.html Bulova Watches, Bulova Ladies' Sport Marine Star Mother of Pearl Dial Diamond Markers Women's Watch : http://www.watchesprice.net/Bulova-Watches--Bulova-Ladies-Sport-Marine-Star-Mother-of-Pearl-Dial-Diamond-Markers-Womens-Watch-2215.html Tag: question about GPO in domain 2003 Tag: 127901
  - 21
    - UNC Problem Hi, I have an environment with one DC and 2 DC Replica under x.local namespace, for example. I can access DC 1 to DC2 and vice-versa by \\dc1 or \\dc2 but I cannot access DC2 to DC3 from \\dc2 or \\dc3 sharing. I can access DC1 to DC3 by \\dc1 or \\dc3 sharing. I can ping and solve the name from IP to any DCÂ´s. DC1 is W2K (PDC, RID, PID, Infrastructure), DC2 is W2K3 x64 (Schema Master) and DC3 is W2K3 R2. In Netdiag show me the LDAP problem with DC2 and DC3 and in DC2 there is KDC event error. Anyone can help me? Luiz Tag: question about GPO in domain 2003 Tag: 127899
  - 22
    - Problem In IP Consider that : there are 11 lan as follow: Lan A Server A: 192.168.0.1 /24 Clients In Lan A 192.168.0.0/24 Lan B Server B: 192.168.1.1 /24 Clients In Lan B 192.168.1.0/24 ..... Lan K: Server K:192.168.10.1/24 Clients In Lan K 192.168.10.0/24 There Are Point To Multi Point Connection From Lan A To Other Lans: B,C,D,K (ADSL Connection) How Can My Clients In Lan B See Server A But Clients In Lan B And Lan A Can't See Each other. There is the same question for lan C with Lan A.: Clients In Lan C See Server A But Clients In Lan C And Lan A Can't See Each other. And Lan D With Lan A And ... Tag: question about GPO in domain 2003 Tag: 127895
  - 23
    - Account properties question... Hi all; Please consider the following scenario: I have several users that I want to change the properties of them at once. So, I select them in the Active Directory Users and Computers console and then right-click on them and select properties. Right? Now I navigate to the Account tab. I want to enable the "Password Never Expires" option. But interestingly I see two check boxes which one of them is dimmed. Why there are two check boxes instead of one? http://img.villagephotos.com/p/2007-10/1282638/AccountOptions.JPG Thanks Reza Tag: question about GPO in domain 2003 Tag: 127890
  - 24
    - How find user "user1" in multi domain environ through programming I have check vbscript. But confuse how to set the parameters. What naming context should I use. Here is some code: Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strFilter = "(&(objectclass=user)(objectcategory=person)(CN=user1));" or strFilter ="(objectcategory=ForeighSecurityPrinciPal)(CN=user1));" strBase = "CN=Wellknown Security Principals" & strConfigurationNC strScope = "subtree" Thx Tag: question about GPO in domain 2003 Tag: 127887
  - 25
    - Userenv on new DC's Whenever we bring up a new domain controller in our 2003 env. the DC logs the following error Source: Userenv Event ID: 1054 Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. DCDIAG, NETDIAG, NLTEST, etc all come back 100% with no errors. I enabled verbose logging on one of the DC's and I get the following: USERENV(174.1198) 10:34:42:963 ProcessGPOs: USERENV(174.1198) 10:34:42:963 ProcessGPOs: USERENV(174.1198) 10:34:42:963 ProcessGPOs: Starting computer Group Policy (Background) processing... USERENV(174.1198) 10:34:42:963 ProcessGPOs: USERENV(174.1198) 10:34:42:963 ProcessGPOs: USERENV(174.1198) 10:34:42:963 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0 USERENV(174.1198) 10:34:42:963 EnterCriticalPolicySectionEx: Machine critical section has been claimed. Handle = 0xa98 USERENV(174.1198) 10:34:42:963 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(174.1198) 10:34:42:963 ProcessGPOs: Machine role is 3. USERENV(174.1198) 10:34:42:963 PingComputer: PingBufferSize set as 2048 USERENV(174.1198) 10:34:42:963 PingComputer: Adapter speed 10000000 bps USERENV(174.1198) 10:34:42:963 PingComputer: First time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: Second time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: First and second times match. USERENV(174.1198) 10:34:42:963 PingComputer: First time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: Second time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: First and second times match. USERENV(174.1198) 10:34:42:963 PingComputer: First time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: Second time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: First and second times match. USERENV(174.1198) 10:34:42:963 PingComputer: No data available USERENV(174.1198) 10:34:42:963 PingComputer: PingBufferSize set as 2048 USERENV(174.1198) 10:34:42:963 PingComputer: Adapter speed 10000000 bps USERENV(174.1198) 10:34:42:963 PingComputer: First time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: Second time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: First and second times match. USERENV(174.1198) 10:34:42:963 PingComputer: First time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: Second time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: First and second times match. USERENV(174.1198) 10:34:42:963 PingComputer: First time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: Second time: -3 USERENV(174.1198) 10:34:42:963 PingComputer: First and second times match. USERENV(174.1198) 10:34:42:963 PingComputer: No data available USERENV(174.1198) 10:34:42:963 ProcessGPOs: DSGetDCName failed with 59. USERENV(174.1198) 10:34:42:963 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(174.1198) 10:34:42:963 ProcessGPOs: Processing failed with error 59. USERENV(174.1198) 10:34:42:963 LeaveCriticalPolicySection: Critical section 0xa98 has been released. USERENV(174.1198) 10:34:42:963 ProcessGPOs: Computer Group Policy has been applied. USERENV(174.1198) 10:34:42:963 ProcessGPOs: Leaving with 0. USERENV(174.1198) 10:34:42:963 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0 USERENV(174.1198) 10:34:42:963 EnterCriticalPolicySectionEx: Machine critical section has been claimed. Handle = 0xa98 USERENV(174.1198) 10:34:42:963 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(174.1198) 10:34:42:979 LeaveCriticalPolicySection: Critical section 0xa98 has been released. USERENV(174.1198) 10:34:42:979 GPOThread: Next refresh will happen in 5 minutes The one thing that stands out to me is the pingbuffer size looks like it is failing and GSGetDCName failed with 59. At first it sounded like a dns issue but when i run nltest /dsgetdc:domain.com i get the correct results. I can ping and browse by name and i can browse to the sysvol share without any problems. Does anyone see anything I may be missing? Thanks in advance Tag: question about GPO in domain 2003 Tag: 127882

Hi

I have an OU with "Block Inheritance" is tagged.
I have a server 2003 R2 SP2 in this OU, I configured the local GPO of this
server(security optins),
when I'm running the RSOP on this server I get "NOT definded", I run the
GPUPDATE command, did'nt solv the problem.
why is that?

Lior

Top

Re: question about GPO in domain 2003 by Meinolf

Meinolf
Mon May 05 07:20:01 PDT 2008

Hello ?????.?,

Last applied policy's are OU, Domain, Site, local, so even if you block the
policy on OU level it applies the policy one level higher, either another
OU or the Domain policy or Site. And as long as the computer is in the domain
it will not use the Local policy.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi
>
> I have an OU with "Block Inheritance" is tagged.
> I have a server 2003 R2 SP2 in this OU, I configured the local GPO of
> this
> server(security optins),
> when I'm running the RSOP on this server I get "NOT definded", I run
> the
> GPUPDATE command, did'nt solv the problem.
> why is that?
> Lior
>

Top

Re: question about GPO in domain 2003 by Marcin

Marcin
Mon May 05 10:14:59 PDT 2008

Lior,
in order to verify whether the local GPO Security Options have been applied
(and how they differ from domain-based ones), you can use Security
Configuration and Analysis utility.
Note that while local GPO is processed in a domain environment, its settings
have always the lowest priority (you can verify this by checking content of
General tab of the Computer Configuration Properties dialog box in the RSoP
console)

hth
Marcin

Top