Windows 2008 R2 Domain Controller, Tracking of helpdesk staff invloved in unlock account, password reset

Dear All,
We recently gave permissions to group of level 1 staff to unlock OR reset password of users. In case user calls and report his account is locked OR if his password expires.
I want to track by auditing just in case something goes wrong, I can check in auditing. I have created a new GPO and select success/failure for Computer Config > Windows Settings > Security Settings > Local Policies > Audit Policy "Audi
Account Management"
applied it on domain top level and I did not changed settings of 'default Domain Policy' which is also linked on top level of domain.
But after applying this I am unable to see any event 4724 of password re-set when I attempted to test this GPO. What else is required to be done in order to trace users in group 'level1' if they change any body password.
Please assist.
thank you

Hello,
Total two DC's in our environment. But now I figured out and it is working now. It was supposed to set in Advanced audit policy > User account management, I enabled it for success and failure and my newly created GPO is applied on domian top in addition
to default domain policy.
I am able to see unlock events, password change events in my security log. So, it is working.
Thank you,
Wajeeh

Similar Messages

  • Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock

    I'm having issues setting an external source on a Windows 2008 R2 domain controller (PDC emulator role for the domain)
    Here is the output showing its source is the Local CMOS clock.
    C:\Windows\System32>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 1 (primary reference - syncd by radio clock)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 10.0000000s
    ReferenceId: 0x4C4F434C (source name:  "LOCL")
    Last Successful Sync Time: 06/11/2014 15:44:15
    Source: Local CMOS Clock
    Poll Interval: 6 (64s)
    1) I have performed the following on the DC with the PDC role:
    net stop w32time
    w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
    w32tm /config /reliable:yes
    net start w32time
    w32tm /query /configuration 
    [Configuration]
    EventLogFlags: 2 (Local)
    AnnounceFlags: 5 (Local)
    TimeJumpAuditOffset: 28800 (Local)
    MinPollInterval: 6 (Local)
    MaxPollInterval: 10 (Local)
    MaxNegPhaseCorrection: 172800 (Local)
    MaxPosPhaseCorrection: 172800 (Local)
    MaxAllowedPhaseOffset: 300 (Local)
    FrequencyCorrectRate: 4 (Local)
    PollAdjustFactor: 5 (Local)
    LargePhaseOffset: 50000000 (Local)
    SpikeWatchPeriod: 900 (Local)
    LocalClockDispersion: 10 (Local)
    HoldPeriod: 5 (Local)
    PhaseCorrectRate: 7 (Local)
    UpdateInterval: 100 (Local)
    [TimeProviders]
    NtpClient (Local)
    DllName: C:\Windows\System32\w32time.DLL (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    AllowNonstandardModeCombinations: 1 (Local)
    ResolvePeerBackoffMinutes: 15 (Local)
    ResolvePeerBackoffMaxTimes: 7 (Local)
    CompatibilityFlags: 2147483648 (Local)
    EventLogFlags: 1 (Local)
    LargeSampleSkew: 3 (Local)
    SpecialPollInterval: 3600 (Local)
    Type: NTP (Local)
    NtpServer: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org (Local)
    NtpServer (Local)
    DllName: C:\Windows\System32\w32time.DLL (Local)
    Enabled: 1 (Local)
    InputProvider: 0 (Local)
    AllowNonstandardModeCombinations: 1 (Local)
    VMICTimeProvider (Local)
    DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    But still showing the output:
    C:\Windows\System32>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 1 (primary reference - syncd by radio clock)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 10.0000000s
    ReferenceId: 0x4C4F434C (source name:  "LOCL")
    Last Successful Sync Time: 06/11/2014 15:58:45
    Source: Local CMOS Clock
    Poll Interval: 6 (64s)
    2. If I resync and rediscover the following error appears: 
    w32tm /resync /rediscover 
    Sending resync command to local computer
    The computer did not resync because no time data was available.
    3. I've also clearing the current time config, by
    net stop w32time
    w32tm /unregister
    w32tm /register
    net start w32time
    But no change, it still shows the Local CMOS clock. 
    4. This event is showing 
    Log Name:      System
    Source:        Microsoft-Windows-Time-Service
    Date:          06/11/2014 15:43:30
    Event ID:      12
    Task Category: None
    Level:         Warning
    Keywords:      
    User:          LOCAL SERVICE
    Computer:      domaincontroller1
    Description:
    Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
    It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy.
    If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
        <EventID>12</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2014-11-06T15:43:30.465619200Z" />
        <EventRecordID>77295</EventRecordID>
        <Correlation />
        <Execution ProcessID="256" ThreadID="2056" />
        <Channel>System</Channel>
        <Computer>domaincontroller1</Computer>
        <Security UserID="SID" />
      </System>
      <EventData Name="TMP_EVENT_DOMAIN_HIERARCHY_ROOT">
      </EventData>
    </Event>
    5. If I perform the below it appears DC2 is having problems but I'm not sure if related. 
    C:\w32tm /monitor
    DC1.domain.local *** PDC ***[192.168.1.1:123]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from DC1.domain.local
            RefID: 'LOCL' [0x4C434F4C]
            Stratum: 1
    DC2.domain.local[192.168.1.2:123]:
        ICMP: 0ms delay
        NTP: -110.4925481s offset from DC1.domain.local
            RefID: (unspecified / unsynchronized) [0x00000000]
            Stratum: 0
    DC3.domain.local[192.168.2.1:123]:
        ICMP: 0ms delay
        NTP: -0.0256084s offset from DC1.domain.local
            RefID: DC1.domain.local [192.168.1.1]
            Stratum: 2
    DC4.domain.local[192.168.2.4:123]:
        ICMP: 0ms delay
        NTP: -0.0011524s offset from DC1.domain.local
            RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
            Stratum: 2
    Warning:
    Reverse name resolution is best effort. It may not be
    correct since RefID field in time packets differs across
    NTP implementations and may not be using IP addresses.
    Any help would be much appreciated. Thanks. 
    Craig Brand

    I suspected some issue with AV so uninstalled. 
    To resolve the Access Denied I followed these steps: 
    stop w32time
    w32tm /unregister
    reboot
    regsvr32 /u w32time.dll
    w32tm /register
    sc query w32time -- you should see that the service is set to
    shared mode -- this is presumably how it should be -- if you try to start right now, you'll get the expected 1290 SID-related error
    reboot
    w32time should now automatically start at boot up and be running -- that was my result -- it's running as shared, started on its own, and I can do the w32tm /query commands successfully
    After rebooting the time service started. 
    I then repeated the steps: 
    net stop w32time
    w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
    w32tm /config /reliable:yes
    net start w32time
    w32tm /query /configuration 
    And all worked. I'll wait a short while to see if this fixes the issue. I also have am SA case with MS so will confirm fix when resolved. 
    Craig Brand

  • How to reset Windows 2008 R2 Domain Controller "Administrator" password?

    Hello Everyone,
    I have lost Administrator password for the following system:
    Windows 2008 R2
    Domain Controller setup on same machine
    Stand alone server - no workstations or other servers invovled
    I still have the "Directory Service Restore Password" but I don't think that helps me for lost Administrator password. I beleive I need to boot from an .iso file to gain access. I already tried "Offline NT Password & Registery Editor" and it has set
    Administrator password to (blank) but that is not allowing me access as it seems that I have to login to domain controller Administrator. So, how can I reset that password?
    Thanks

    It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
    illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
    Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
    http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
    Thanks,

  • Question about adding Windows 2012 R2 Domain Controller, into a native Windows 2008 R2 single forest domain

    I current have a two server domain, both Windows 2008 R2 and fully updated.   The two servers are on subnet 10.0.1.0 /24
    - Windows 2008 R2 Server A: 10.0.1.1 (DC, GC, FSMO, DNS)
    - Windows 2008 R2 Server B: 10.0.1.2 (DC, GC)
    AD Domain: COMPANY.LOCAL
    I have a second connected subnet, 192.168.1.0 /24) which is routed to the 10.0.1.0/24 subnet and I would like to install a Windows 2012 R2 server onto a server on that subnet and make it a domain controller with AD-Integrated DNS and DHCP for the 192.168.1.0
    /24 subnet.
    - Windows 2012 R2 Server C: 192.168.1.1
    What are the proper progression steps, in order to bring up the Windows 2012 R2 server and then add it to my COMPANY.LOCAL domain and then promote it do a DC/GC/AD-Integrated DNS server?   Are they anything like the following:
    1. Install Windows 2012 R2 server (Server C)
    2. Point Windows 2012 R2 server DNS servers at Server's A and B
    3. Perform AD prep to extend AD schema to support Windows 2012 R2 domain controllers
    4. Promote Windows 2012 R2 server to domain controller (install local DNS service on Server C, during this step)
    * Question:  Will Windows automatically create a DNS zone for the Windows 2012 R2 subnet (192.168.1.0/24) AND also include the DNS zone from the previous Windows 2008 R2 domain (10.0.1.0 /24)?  Or will I need to add the 10.0.1.0 /24 zone to the DNS
    server on Server C, even though the DNS from the Windows 2008 R2 domain is AD integrated?

    Hi,
    Regarding the issue here, please take a look into below articles:
    System Requirements and Installation Information for Windows Server 2012 R2
    http://technet.microsoft.com/en-us/library/dn303418.aspx
    Release Notes: Important Issues in Windows Server 2012 R2
    http://technet.microsoft.com/en-us/library/dn387077.aspx
    Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
    http://technet.microsoft.com/en-us/library/jj574134.aspx
    Here is an example for promoting Windows Server 2012 to a DC, see:
    Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
    http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
    As the server is promoted to a DC, DNS Zones will be replicated and synchronized to it automatically whenever the new one is added to an AD DS domain,  bascially there is no special need to add zones,  for more information, please see:
    Understanding Active Directory Domain Services Integration
    http://technet.microsoft.com/en-us/library/cc726034.aspx
    Hope this may help
    Best regards
    Michael
    If you have any feedback on our support, please click
    here.
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Windows Server 2008 R2 Domain Controller NOT logging EventID 4740

    EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
    i have checked thus far.
    >Windows Server 2008 R2 Domain Controller
    >Verified the following GPO settings are set and correct:
    >Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
    >Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
    >Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
    >No 4740 entries in the netlogon.log debug file
    AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
    Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
    Thanks, Chico

    Hi Chico,
    I suggest you try to enable this group policy below:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
    More information for you:
    Missing 4740 EventID's
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
    If you have multiple Domain Controllers, check this event on other DCs, too.
    Please feel free to let us know if there are any further requirements.
    Best Regards,
    Amy Wang

  • Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

    I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
    Default Domain Controllers Policy
    Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
    What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
    System audit policy
    Category/Subcategory                      Setting
    System
      Security System Extension               No Auditing
      System Integrity                        No Auditing
      IPsec Driver                            No Auditing
      Other System Events                     No Auditing
      Security State Change                   No Auditing
    Logon/Logoff
      Logon                                   No Auditing
      Logoff                                  No Auditing
      Account Lockout                         No Auditing
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           No Auditing
      Other Logon/Logoff Events               No Auditing
      Network Policy Server                   No Auditing
    Object Access
      File System                             No Auditing
      Registry                                No Auditing
      Kernel Object                           No Auditing
      SAM                                     No Auditing
      Certification Services                  No Auditing
      Application Generated                   No Auditing
      Handle Manipulation                     No Auditing
      File Share                              No Auditing
      Filtering Platform Packet Drop          No Auditing
      Filtering Platform Connection           No Auditing
      Other Object Access Events              No Auditing
      Detailed File Share                     No Auditing
    Privilege Use
      Sensitive Privilege Use                 No Auditing
      Non Sensitive Privilege Use             No Auditing
      Other Privilege Use Events              No Auditing
    Detailed Tracking
      Process Termination                     No Auditing
      DPAPI Activity                          No Auditing
      RPC Events                              No Auditing
      Process Creation                        No Auditing
    Policy Change
      Audit Policy Change                     No Auditing
      Authentication Policy Change            No Auditing
      Authorization Policy Change             No Auditing
      MPSSVC Rule-Level Policy Change         No Auditing
      Filtering Platform Policy Change        No Auditing
      Other Policy Change Events              No Auditing
    Account Management
      User Account Management                 No Auditing
      Computer Account Management             No Auditing
      Security Group Management               No Auditing
      Distribution Group Management           No Auditing
      Application Group Management            No Auditing
      Other Account Management Events         No Auditing
    DS Access
      Directory Service Changes               No Auditing
      Directory Service Replication           No Auditing
      Detailed Directory Service Replication  No Auditing
      Directory Service Access                No Auditing
    Account Logon
      Kerberos Service Ticket Operations      No Auditing
      Other Account Logon Events              No Auditing
      Kerberos Authentication Service         No Auditing
      Credential Validation                   Success

    Hi Lawrence,
    After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
    setting was applied successfully.
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
    Best regards,
    Frank Shen

  • Windows 2008 R2 domain controllers with Windows 2003 forest functional level Supported after Windows 2003 support ends in July 2015

    Hi
    Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
    Thanks

    When Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
    So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • RAC on windows 2000 with domain controller

    Guys,
    I need advise on the following implementation.
    We have 2 IBM Xseries 365 Servers , 1 FastT600 Storage Windows 2000 Advanced Server, Oracle 9i, Oracle RAC
    We have plan of integrating 2 servers in Windows 2000 Cluster, one server would act as Domain Controller and second will act as Additional Domain Controller in the MS Cluster. We would be installing Oracle 9i Enterprise s/w on each one of these server's internal disks and datafiles on shared storage ( FastT600 ).. We would need to install Oracle RAC as well. As per Oracle recommandation, the cluster nodes shouldn't act as Domain controller. We didn't find any logical and techinical answer for this recommandation. Can anyone guide me as why is it so? and any issue may arise if we don't have separate doamin controller?
    Is it really required to have separate Domain controller ?
    Early replies would be appretiated..
    Thanks & Regards,
    Sam

    Hello hanspjacobsen,
    1. According to the subjects System Requrements - Windows 2008 R2 Domain Controllers do support
    Windows 8.1/2012 R2 admx deployment with some limitations regarding down-level server version of course. So yes - you can download and use it. Doubtfully the GPO presence in AD could
    harm Exchange in any way.
    2. With the course of updates for Exchange 2010 and Windows Server - I'm pretty sure we can expect Exchange 2010 supporting W2012 R2 DCs with close upcoming updates. So the full interoperability for those two is just a matter of little time.
    ▲ Vote if Helpful / Mark if Answer
    MCSE: Messaging 2013 Charter / Private Cloud / Server Infrastructure
    MaximumExchange.ru

  • How to Reset Windows 2008/R2 Domain Administrator Password

    How to Reset Windows Server 2008/R2 Domain Administrator password if forgot or lost it?
    It is annoying and bad to forget a Windows Server 2008/r2 Domain administrator login password. It is troublesome unless you have that Windows Server 2008/r2 password reset disk. We can still find several tricks to reset Windows Server Domain password but they require a mass of operations and waste a lot of time. For example, you can reset Windows Server 2008/R2 domain administrator password with an installation disk but it requires you to type a mass of command line. So today I want to share everyone an omnipotent method to reset Windows Server 2008/R2 Domain/local administrator password. You need the following 3 things.
    An accessible PC.
    A USB/CD/DVD flash drive.
    The Windows password reset tool Daossoft Windows Password Rescuer.
    Then it requires 4 steps as below:
    Step 1: Download and install Daossoft Windows Password Rescuer into that accessible computer.
    Step 2: Burn it to the flash drive.
    Step 3: Boot your Windows Server computer from the flash drive.
    Step 4: Follow its instruction and click “Reset Password” button to reset your Windows 2008/R2 Domain/Local administrator password.
    More details in this video: Windows Server 2008 R2 Password Reset - Reset Domain or Local Password.

    It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
    illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
    Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
    http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
    Thanks,

  • Hardware Requirements for a Windows Server 2012 Domain Controller.

    Hi,
    I have a secondary office with 10 users with a domain controller that has reached its end of life.  We like to upgrade the current hardware to serve as a domain controller and potentially as an onsite file server that will sync with head office during
    off peak business hours.
    Any recommendations for a low cost yet reliable hardware for the above solution ?

    Hi,
    Thanks for your post.
    I think you need to meet the requirement for upgrading to windows server 2012r2.
    http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_SysReqs
    And you could refer to the following article about windows server 2012r2 domain controller configuration
    Building Your First Domain Controller on 2012 R2
    http://social.technet.microsoft.com/wiki/contents/articles/22622.building-your-first-domain-controller-on-2012-r2.aspx
    Regards.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Renaming Windows Server 2012 Domain Controller with Exchange Server 2013

    Is it possible to rename Windows Server 2012 Domain Controller, as we are using Exchange Server 2013 as a member server on Windows Server 2012 ?
    We have some issues with the Domain Name, so want to rename..
    Maybe somebody knows the best practices how to do this in best way???
    Thanks.

    Hello,
    You should do the following:
    1. Promote another DC.
    2. Transfer FSMO roles to that server.
    3. Decommission old DC.
    4. Rename it.
    5. Promote it again as DC.
    Here is useful link:
    http://technet.microsoft.com/en-us/library/cc782761(v=ws.10).aspx#bkmk_renamesingle.
    Hope it helps,
    Adam
    www.codetwo.com
    If this post helps resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others
    find the answer faster.

  • Upgrading windows server 2003 domain controller to windows server 2008

    Hello friedns :
    We have a company with about 2000 users , and two windows server 2003 domain controllers , one of them acts as a primary domain controller , and the other acts as secondary domain controller , all the FSMO s are on the primary DC ,we have decided to upgrade all of our servers from windows server 2003 to windows server 2008 , the first step is to upgrade the domain controllers to windows server 2008 , our domain controllers are so sensitive and has to be active 24 hours a day , i have stress upgrading it to windows server 2008 , what is the best solution to upgrade it with no risk ?
    ( i have an opinion but i am not sure and i dont have any guide about it , i want to install a windows server 2008 and promote it as an additional domain controller to the windows server 2003 DC and the transfer all the FSMOs to it , and then promote the first domain controller !!! is that possible ? if yes , is there any guide about it? )
    If there is a guide available for it please let me know . (Specially if there is a tip & trick)
    thank you guys.
    Network is my LOVE

    Hi,
    This TechNet online article might be helpful for you.
    How to Upgrade Domain Controllers to Windows Server 2008 or Windows Server 2008 R2
    http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx
    For your convenience, I have list some general steps for your reference.
    Since the following operation have potential damage to Active Directory database, it is highly suggested that you'd better perform a full backup of Active Directory (System State) firstly. Also it is better to test the following procedure in a similar lab environment first.
    General Steps:
    =============
    1. Verify the new server's TCP/IP configuration has been pointed to the current DNS server.
    2. Make the new server become a member server of the current Windows Server 2003 domain first.
    3. Upgrade the Windows Server 2003 forest schema to Windows Server 2008 schema with the "adprep /forestprep" command on old server.
    Please run the "adprep.exe /forestprep" command from the Windows Server 2008 installation disk on the schema master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
    Drive:\sources\ADPREP\adprep.exe /forestprep
    4. Upgrade the Windows 2003 domain schema with the "adprep /domainprep" command on old server.
    Please run the "adprep.exe /domainprep" command from the Windows Server 2008 installation disk on the infrastructure master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
    Drive:\sources\ADPREP \adprep.exe /domainprep
    5. Insert Windows Server 2008 Installation Disc in the new server.
    6. Run "dcpromo" on new server to promote it as an additional domain controller in existing Windows 2003 domain, afterwards you may verify the installation of Active Directory.
    Please refer to:
    How to Verify an Active Directory Installation in Windows Server 2003
    http://support.microsoft.com/kb/816106
    7. Verify the new server's TCP/IP configuration has been pointed to current DNS server.
    8. Enable Global Catalog on new server and manually Check Replication Topology and afterwards manually trigger replication (Replicate Now) to synchronize Active Directory database between 2 replicas.
    Please note: It will some time to replicate GC between DC, please wait some time with patience.
    9. Disable Global Catalog on the old DC.
    10. Transfer all the FSMO roles from the old DC to the new DC.
    Please refer to:
    How to view and transfer FSMO roles in Windows Server 2003
    http://support.microsoft.com/kb/324801
    11. Verify that the old DNS Server Zone type is Active Directory-Integrated. If not, please refer to:
    How To: Convert DNS Primary Server to Active Directory Integrated
    http://support.microsoft.com/kb/816101
    Note: Active Directory Integrated-Zone is available only if DNS server is a domain controller.
    12. Install DNS component on new server and configure it as a new DNS Server (Active Directory Integrated-Zone is preferred). All the DNS configuration should be replicated to the new DNS server with Active Directory Replication.
    13. Make all the clients change TCP/IP configuration to point to new server as DNS.
    14. You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the new DNS server.
    Please note: It is a good practice to make the old DC offline for several days and check whether everything works normally with the new server online. If so, you may let the old DC online and run DCPROMO to demote it.
    Hope it helps.
    Regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights.

  • Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain

    Hi,
    Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
    We now want to replace these DC`s with Windows Server 2012 R2.
    My plan is as follow
    - Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
    - Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
    - Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
    - Move FSMO roles from DC2 to DC1 and decomiss DC2
    - Change the IP and hostname of the new DC4 to DC2
    Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
    /Regards Andreas

    Hi,
    Only error i got running dcdiag was the following
     Starting test: NCSecDesc
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=ForestDnsZones,DC=domain,DC=local
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=DomainDnsZones,DC=domain,DC=local
        ......................... DC1 failed test NCSecDesc
    Is this a problem ?
    I would guess not since im not implementing a RODC ? Ref:
    https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
    You can ignore it.
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • ACS 4.1 support with Windows Server 2012 Domain controller

    I am upgrading my Domain Controller / Active Directory from Windows Server 2003 to Windows Server 2012.
    In my environment, I am using Cisco ACS 4.1 which is integrated with Windows Server 2003 Active Directory.
    Will ACS4.1 will work fine with my new domain controller (Windows server 2012) or I need to upgrade my ACS too?
    Regards,
    Junaid

    Junaid,
    ACS 4.x code doesn't even support Windows 2008 R2. Your best bet is to migrate the ACS from 4.x to ACS 5.4 Patch 2 or stay with windows 2003 or 2008 (Non-R2).
    ACS 5.4 patch 2 supports Windows 2012 AD.
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/release/notes/acs_54_rn.html
    Regards,
    Jatin
    **Do rate helpful posts**

  • Adding a Server 2008 R2 Domain Controller at a remote site

    Hello. I have been trying to set up a hot site at a remote location.  The story is long and involved but a few weeks ago it seemed to be finally working.  Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take. 
    The hot site is the same except that so far I only had one server working.  The two sites connected via site to site VPN.
    About a week later our primary server basically crashed.  At first it worked but very slowly.  I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting. 
    It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message).  He then discovered that the server at the remote site had some fsmo roles assigned to it.  He transferred
    the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
    After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem.  The way I originally set up the remote server was to use an IFM file, generated
    from our primary.  This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
    The remote server(s) are wanted to be in the same domain as the primary.  They will also be mirrored from the primary (with Double Take).  If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
    (after a fail over).  I freely admit that I am swimming out of my depth here.  I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers.  I am looking for information about what
    went wrong, and whether some other setup is more desirable.
    Thanks for any help, Russ
    Russ

    Philippe, thank you for you answers.  I do not understand everything you said but I will address each point as best I can:
    1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?"  Yes, but I use the method described at
    http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method.  At step #8 I specified to use advanced mode so I could use the IFM file.
    2. "In your AD' Site and Service MMC, do you configured the remote site ?"  R do not know what you mean by this. How does one configure the site as 'remote'?
    3. "Do you added that remote server as a Global catalogue ?".  Yes, when I built the IFM file I specified to add the global catalog.
    4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash."  I am not sure I understand this item.  After the remote server
    was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain.  I do not recall if the new items were last, but I expect that they would be.
    I have since reviewed the happenings with my associate and have a little more information.  The order of the problems and the actions taken are:
    1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site.  Rebooting the production server took over 25 minutes and the server to came up saying
    that domain information was not available.  After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
    2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil.  I would expect that if the role was not held by the remote, the transfer command would have
    shown that fact.
    3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
    4. He forcefully demoted the remote server.
    5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
    6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
    At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
    All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller.  However nothing I have read says that this should happen.  I hope someone
    here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
    Thank you, Russ
    PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
    Russ

Maybe you are looking for