Windows 2008 R2 Domain Controller, Tracking of helpdesk staff invloved in unlock account, password reset
Dear All,
We recently gave permissions to group of level 1 staff to unlock OR reset password of users. In case user calls and report his account is locked OR if his password expires.
I want to track by auditing just in case something goes wrong, I can check in auditing. I have created a new GPO and select success/failure for Computer Config > Windows Settings > Security Settings > Local Policies > Audit Policy "Audi
Account Management"
applied it on domain top level and I did not changed settings of 'default Domain Policy' which is also linked on top level of domain.
But after applying this I am unable to see any event 4724 of password re-set when I attempted to test this GPO. What else is required to be done in order to trace users in group 'level1' if they change any body password.
Please assist.
thank you
Hello,
Total two DC's in our environment. But now I figured out and it is working now. It was supposed to set in Advanced audit policy > User account management, I enabled it for success and failure and my newly created GPO is applied on domian top in addition
to default domain policy.
I am able to see unlock events, password change events in my security log. So, it is working.
Thank you,
Wajeeh
Similar Messages
-
Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock
I'm having issues setting an external source on a Windows 2008 R2 domain controller (PDC emulator role for the domain)
Here is the output showing its source is the Local CMOS clock.
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:44:15
Source: Local CMOS Clock
Poll Interval: 6 (64s)
1) I have performed the following on the DC with the PDC role:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org (Local)
NtpServer (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
But still showing the output:
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:58:45
Source: Local CMOS Clock
Poll Interval: 6 (64s)
2. If I resync and rediscover the following error appears:
w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
3. I've also clearing the current time config, by
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
But no change, it still shows the Local CMOS clock.
4. This event is showing
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 06/11/2014 15:43:30
Event ID: 12
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: domaincontroller1
Description:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy.
If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>12</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-11-06T15:43:30.465619200Z" />
<EventRecordID>77295</EventRecordID>
<Correlation />
<Execution ProcessID="256" ThreadID="2056" />
<Channel>System</Channel>
<Computer>domaincontroller1</Computer>
<Security UserID="SID" />
</System>
<EventData Name="TMP_EVENT_DOMAIN_HIERARCHY_ROOT">
</EventData>
</Event>
5. If I perform the below it appears DC2 is having problems but I'm not sure if related.
C:\w32tm /monitor
DC1.domain.local *** PDC ***[192.168.1.1:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from DC1.domain.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
DC2.domain.local[192.168.1.2:123]:
ICMP: 0ms delay
NTP: -110.4925481s offset from DC1.domain.local
RefID: (unspecified / unsynchronized) [0x00000000]
Stratum: 0
DC3.domain.local[192.168.2.1:123]:
ICMP: 0ms delay
NTP: -0.0256084s offset from DC1.domain.local
RefID: DC1.domain.local [192.168.1.1]
Stratum: 2
DC4.domain.local[192.168.2.4:123]:
ICMP: 0ms delay
NTP: -0.0011524s offset from DC1.domain.local
RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
Stratum: 2
Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.
Any help would be much appreciated. Thanks.
Craig BrandI suspected some issue with AV so uninstalled.
To resolve the Access Denied I followed these steps:
stop w32time
w32tm /unregister
reboot
regsvr32 /u w32time.dll
w32tm /register
sc query w32time -- you should see that the service is set to
shared mode -- this is presumably how it should be -- if you try to start right now, you'll get the expected 1290 SID-related error
reboot
w32time should now automatically start at boot up and be running -- that was my result -- it's running as shared, started on its own, and I can do the w32tm /query commands successfully
After rebooting the time service started.
I then repeated the steps:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
And all worked. I'll wait a short while to see if this fixes the issue. I also have am SA case with MS so will confirm fix when resolved.
Craig Brand -
How to reset Windows 2008 R2 Domain Controller "Administrator" password?
Hello Everyone,
I have lost Administrator password for the following system:
Windows 2008 R2
Domain Controller setup on same machine
Stand alone server - no workstations or other servers invovled
I still have the "Directory Service Restore Password" but I don't think that helps me for lost Administrator password. I beleive I need to boot from an .iso file to gain access. I already tried "Offline NT Password & Registery Editor" and it has set
Administrator password to (blank) but that is not allowing me access as it seems that I have to login to domain controller Administrator. So, how can I reset that password?
ThanksIt wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Thanks, -
I current have a two server domain, both Windows 2008 R2 and fully updated. The two servers are on subnet 10.0.1.0 /24
- Windows 2008 R2 Server A: 10.0.1.1 (DC, GC, FSMO, DNS)
- Windows 2008 R2 Server B: 10.0.1.2 (DC, GC)
AD Domain: COMPANY.LOCAL
I have a second connected subnet, 192.168.1.0 /24) which is routed to the 10.0.1.0/24 subnet and I would like to install a Windows 2012 R2 server onto a server on that subnet and make it a domain controller with AD-Integrated DNS and DHCP for the 192.168.1.0
/24 subnet.
- Windows 2012 R2 Server C: 192.168.1.1
What are the proper progression steps, in order to bring up the Windows 2012 R2 server and then add it to my COMPANY.LOCAL domain and then promote it do a DC/GC/AD-Integrated DNS server? Are they anything like the following:
1. Install Windows 2012 R2 server (Server C)
2. Point Windows 2012 R2 server DNS servers at Server's A and B
3. Perform AD prep to extend AD schema to support Windows 2012 R2 domain controllers
4. Promote Windows 2012 R2 server to domain controller (install local DNS service on Server C, during this step)
* Question: Will Windows automatically create a DNS zone for the Windows 2012 R2 subnet (192.168.1.0/24) AND also include the DNS zone from the previous Windows 2008 R2 domain (10.0.1.0 /24)? Or will I need to add the 10.0.1.0 /24 zone to the DNS
server on Server C, even though the DNS from the Windows 2008 R2 domain is AD integrated?Hi,
Regarding the issue here, please take a look into below articles:
System Requirements and Installation Information for Windows Server 2012 R2
http://technet.microsoft.com/en-us/library/dn303418.aspx
Release Notes: Important Issues in Windows Server 2012 R2
http://technet.microsoft.com/en-us/library/dn387077.aspx
Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
http://technet.microsoft.com/en-us/library/jj574134.aspx
Here is an example for promoting Windows Server 2012 to a DC, see:
Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
As the server is promoted to a DC, DNS Zones will be replicated and synchronized to it automatically whenever the new one is added to an AD DS domain, bascially there is no special need to add zones, for more information, please see:
Understanding Active Directory Domain Services Integration
http://technet.microsoft.com/en-us/library/cc726034.aspx
Hope this may help
Best regards
Michael
If you have any feedback on our support, please click
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Windows Server 2008 R2 Domain Controller NOT logging EventID 4740
EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
i have checked thus far.
>Windows Server 2008 R2 Domain Controller
>Verified the following GPO settings are set and correct:
>Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
>Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
>Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
>No 4740 entries in the netlogon.log debug file
AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
Thanks, ChicoHi Chico,
I suggest you try to enable this group policy below:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
More information for you:
Missing 4740 EventID's
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
If you have multiple Domain Controllers, check this event on other DCs, too.
Please feel free to let us know if there are any further requirements.
Best Regards,
Amy Wang -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Hi
Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
ThanksWhen Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
RAC on windows 2000 with domain controller
Guys,
I need advise on the following implementation.
We have 2 IBM Xseries 365 Servers , 1 FastT600 Storage Windows 2000 Advanced Server, Oracle 9i, Oracle RAC
We have plan of integrating 2 servers in Windows 2000 Cluster, one server would act as Domain Controller and second will act as Additional Domain Controller in the MS Cluster. We would be installing Oracle 9i Enterprise s/w on each one of these server's internal disks and datafiles on shared storage ( FastT600 ).. We would need to install Oracle RAC as well. As per Oracle recommandation, the cluster nodes shouldn't act as Domain controller. We didn't find any logical and techinical answer for this recommandation. Can anyone guide me as why is it so? and any issue may arise if we don't have separate doamin controller?
Is it really required to have separate Domain controller ?
Early replies would be appretiated..
Thanks & Regards,
SamHello hanspjacobsen,
1. According to the subjects System Requrements - Windows 2008 R2 Domain Controllers do support
Windows 8.1/2012 R2 admx deployment with some limitations regarding down-level server version of course. So yes - you can download and use it. Doubtfully the GPO presence in AD could
harm Exchange in any way.
2. With the course of updates for Exchange 2010 and Windows Server - I'm pretty sure we can expect Exchange 2010 supporting W2012 R2 DCs with close upcoming updates. So the full interoperability for those two is just a matter of little time.
▲ Vote if Helpful / Mark if Answer
MCSE: Messaging 2013 Charter / Private Cloud / Server Infrastructure
MaximumExchange.ru -
How to Reset Windows 2008/R2 Domain Administrator Password
How to Reset Windows Server 2008/R2 Domain Administrator password if forgot or lost it?
It is annoying and bad to forget a Windows Server 2008/r2 Domain administrator login password. It is troublesome unless you have that Windows Server 2008/r2 password reset disk. We can still find several tricks to reset Windows Server Domain password but they require a mass of operations and waste a lot of time. For example, you can reset Windows Server 2008/R2 domain administrator password with an installation disk but it requires you to type a mass of command line. So today I want to share everyone an omnipotent method to reset Windows Server 2008/R2 Domain/local administrator password. You need the following 3 things.
An accessible PC.
A USB/CD/DVD flash drive.
The Windows password reset tool Daossoft Windows Password Rescuer.
Then it requires 4 steps as below:
Step 1: Download and install Daossoft Windows Password Rescuer into that accessible computer.
Step 2: Burn it to the flash drive.
Step 3: Boot your Windows Server computer from the flash drive.
Step 4: Follow its instruction and click “Reset Password” button to reset your Windows 2008/R2 Domain/Local administrator password.
More details in this video: Windows Server 2008 R2 Password Reset - Reset Domain or Local Password.It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Thanks, -
Hardware Requirements for a Windows Server 2012 Domain Controller.
Hi,
I have a secondary office with 10 users with a domain controller that has reached its end of life. We like to upgrade the current hardware to serve as a domain controller and potentially as an onsite file server that will sync with head office during
off peak business hours.
Any recommendations for a low cost yet reliable hardware for the above solution ?Hi,
Thanks for your post.
I think you need to meet the requirement for upgrading to windows server 2012r2.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_SysReqs
And you could refer to the following article about windows server 2012r2 domain controller configuration
Building Your First Domain Controller on 2012 R2
http://social.technet.microsoft.com/wiki/contents/articles/22622.building-your-first-domain-controller-on-2012-r2.aspx
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Renaming Windows Server 2012 Domain Controller with Exchange Server 2013
Is it possible to rename Windows Server 2012 Domain Controller, as we are using Exchange Server 2013 as a member server on Windows Server 2012 ?
We have some issues with the Domain Name, so want to rename..
Maybe somebody knows the best practices how to do this in best way???
Thanks.Hello,
You should do the following:
1. Promote another DC.
2. Transfer FSMO roles to that server.
3. Decommission old DC.
4. Rename it.
5. Promote it again as DC.
Here is useful link:
http://technet.microsoft.com/en-us/library/cc782761(v=ws.10).aspx#bkmk_renamesingle.
Hope it helps,
Adam
www.codetwo.com
If this post helps resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others
find the answer faster. -
Upgrading windows server 2003 domain controller to windows server 2008
Hello friedns :
We have a company with about 2000 users , and two windows server 2003 domain controllers , one of them acts as a primary domain controller , and the other acts as secondary domain controller , all the FSMO s are on the primary DC ,we have decided to upgrade all of our servers from windows server 2003 to windows server 2008 , the first step is to upgrade the domain controllers to windows server 2008 , our domain controllers are so sensitive and has to be active 24 hours a day , i have stress upgrading it to windows server 2008 , what is the best solution to upgrade it with no risk ?
( i have an opinion but i am not sure and i dont have any guide about it , i want to install a windows server 2008 and promote it as an additional domain controller to the windows server 2003 DC and the transfer all the FSMOs to it , and then promote the first domain controller !!! is that possible ? if yes , is there any guide about it? )
If there is a guide available for it please let me know . (Specially if there is a tip & trick)
thank you guys.
Network is my LOVEHi,
This TechNet online article might be helpful for you.
How to Upgrade Domain Controllers to Windows Server 2008 or Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx
For your convenience, I have list some general steps for your reference.
Since the following operation have potential damage to Active Directory database, it is highly suggested that you'd better perform a full backup of Active Directory (System State) firstly. Also it is better to test the following procedure in a similar lab environment first.
General Steps:
=============
1. Verify the new server's TCP/IP configuration has been pointed to the current DNS server.
2. Make the new server become a member server of the current Windows Server 2003 domain first.
3. Upgrade the Windows Server 2003 forest schema to Windows Server 2008 schema with the "adprep /forestprep" command on old server.
Please run the "adprep.exe /forestprep" command from the Windows Server 2008 installation disk on the schema master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
Drive:\sources\ADPREP\adprep.exe /forestprep
4. Upgrade the Windows 2003 domain schema with the "adprep /domainprep" command on old server.
Please run the "adprep.exe /domainprep" command from the Windows Server 2008 installation disk on the infrastructure master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
Drive:\sources\ADPREP \adprep.exe /domainprep
5. Insert Windows Server 2008 Installation Disc in the new server.
6. Run "dcpromo" on new server to promote it as an additional domain controller in existing Windows 2003 domain, afterwards you may verify the installation of Active Directory.
Please refer to:
How to Verify an Active Directory Installation in Windows Server 2003
http://support.microsoft.com/kb/816106
7. Verify the new server's TCP/IP configuration has been pointed to current DNS server.
8. Enable Global Catalog on new server and manually Check Replication Topology and afterwards manually trigger replication (Replicate Now) to synchronize Active Directory database between 2 replicas.
Please note: It will some time to replicate GC between DC, please wait some time with patience.
9. Disable Global Catalog on the old DC.
10. Transfer all the FSMO roles from the old DC to the new DC.
Please refer to:
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801
11. Verify that the old DNS Server Zone type is Active Directory-Integrated. If not, please refer to:
How To: Convert DNS Primary Server to Active Directory Integrated
http://support.microsoft.com/kb/816101
Note: Active Directory Integrated-Zone is available only if DNS server is a domain controller.
12. Install DNS component on new server and configure it as a new DNS Server (Active Directory Integrated-Zone is preferred). All the DNS configuration should be replicated to the new DNS server with Active Directory Replication.
13. Make all the clients change TCP/IP configuration to point to new server as DNS.
14. You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the new DNS server.
Please note: It is a good practice to make the old DC offline for several days and check whether everything works normally with the new server online. If so, you may let the old DC online and run DCPROMO to demote it.
Hope it helps.
Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. -
Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain
Hi,
Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
We now want to replace these DC`s with Windows Server 2012 R2.
My plan is as follow
- Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
- Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
- Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
- Move FSMO roles from DC2 to DC1 and decomiss DC2
- Change the IP and hostname of the new DC4 to DC2
Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
/Regards AndreasHi,
Only error i got running dcdiag was the following
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=local
......................... DC1 failed test NCSecDesc
Is this a problem ?
I would guess not since im not implementing a RODC ? Ref:
https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
You can ignore it.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
ACS 4.1 support with Windows Server 2012 Domain controller
I am upgrading my Domain Controller / Active Directory from Windows Server 2003 to Windows Server 2012.
In my environment, I am using Cisco ACS 4.1 which is integrated with Windows Server 2003 Active Directory.
Will ACS4.1 will work fine with my new domain controller (Windows server 2012) or I need to upgrade my ACS too?
Regards,
JunaidJunaid,
ACS 4.x code doesn't even support Windows 2008 R2. Your best bet is to migrate the ACS from 4.x to ACS 5.4 Patch 2 or stay with windows 2003 or 2008 (Non-R2).
ACS 5.4 patch 2 supports Windows 2012 AD.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/release/notes/acs_54_rn.html
Regards,
Jatin
**Do rate helpful posts** -
Adding a Server 2008 R2 Domain Controller at a remote site
Hello. I have been trying to set up a hot site at a remote location. The story is long and involved but a few weeks ago it seemed to be finally working. Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take.
The hot site is the same except that so far I only had one server working. The two sites connected via site to site VPN.
About a week later our primary server basically crashed. At first it worked but very slowly. I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting.
It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message). He then discovered that the server at the remote site had some fsmo roles assigned to it. He transferred
the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem. The way I originally set up the remote server was to use an IFM file, generated
from our primary. This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
The remote server(s) are wanted to be in the same domain as the primary. They will also be mirrored from the primary (with Double Take). If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
(after a fail over). I freely admit that I am swimming out of my depth here. I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers. I am looking for information about what
went wrong, and whether some other setup is more desirable.
Thanks for any help, Russ
RussPhilippe, thank you for you answers. I do not understand everything you said but I will address each point as best I can:
1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?" Yes, but I use the method described at
http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method. At step #8 I specified to use advanced mode so I could use the IFM file.
2. "In your AD' Site and Service MMC, do you configured the remote site ?" R do not know what you mean by this. How does one configure the site as 'remote'?
3. "Do you added that remote server as a Global catalogue ?". Yes, when I built the IFM file I specified to add the global catalog.
4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash." I am not sure I understand this item. After the remote server
was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain. I do not recall if the new items were last, but I expect that they would be.
I have since reviewed the happenings with my associate and have a little more information. The order of the problems and the actions taken are:
1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site. Rebooting the production server took over 25 minutes and the server to came up saying
that domain information was not available. After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil. I would expect that if the role was not held by the remote, the transfer command would have
shown that fact.
3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
4. He forcefully demoted the remote server.
5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller. However nothing I have read says that this should happen. I hope someone
here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
Thank you, Russ
PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
Russ
Maybe you are looking for
-
Unable to get the data from table controller
Dear All, I am facing the following problem in BSP tableview, I am having tableview on page as below <htmlb:tableView id = "reportsTable2" headerVisible = "true" headerText = "Pending
-
To pass the page parameters to a form in portal
Hi, I am trying to develope a simple page using portal which contains 1. Simple parameter form. 2. Form that accepts the data from the simple parameter form. I want to pass 2 page parameters to this form(no.2) Is it possible to pass the page paramete
-
I was wondering why Apple doesn't allow educators to sync up to 10 devices for each app like regular users. My district has purchased all this Apple technology and we are limited by the license agreements for education. I would like to purchase som
-
-
Kernel patch upgrade for multiple instance
Hi expert, I want to know will we follow the same process while upgrade the kernel patch only for Multiple ABAP STAK. We have system which has 3 instances....................so my question is exactly where we ned to put the kernel files (Generlly it