Windows Server Primary & Secondary Domain Controller Question
lulzchicken wrote:
Right now the DHCP is assigning 192.168.200.1 (DNS server) and 8.8.8.8 (Google's DNS) as DNS servers for each client. I don't necessarilly want to change these assignment settings,Yes, you do. This is absolutely the worst thing you can ever do with DNS. More details why here -> Ramblings of a Sysadmin: How to do DNS correctly
Primary and secondary DNS should ALWAYS be internal.
Your DNS Servers should use FORWARDERS go go out to google. That's the only place that should see google DNS servers in your environment.
Hi everyone, thank you for taking the time to listen.
I have successfully implemented an Active Directory setup using a Primary DC and a Secondary DC with Windows Server 2012 R2.
EL1 is my PDC and EL2 is my BDC.
Active Directory is in sync among the two Domain Controllers. Here is my question:
If I were to have a policy (Group Policy) that sets the wallpaper of each client machine to whatever is in the "\\EL1\Wallpaper\wp.jpg" - what would happen if I were to have that Domain Controller fail? That directory is no longer available due to the outage - even though the Backup Domain Controller will still be pushing out the policy (pointing to the down server).
My idea was to have that directory replicated on the Backup Domain Controller, "\\EL2\Wallpaper\wp.jpg" however - the policy will still be looking for the file in the Primary Domain...
This topic first appeared in the Spiceworks Community
Similar Messages
-
Biztalk 2013 R2 with Windows Server 2003 R2 Domain Controller
Hello, I have a client right who has a Windows Server 2003 R2 domain controller with active directory installed. Is there any reason why I can't install Biztalk 2013 on a Windows Server 2012 R2 box and add it to that farm to use active directory?
Thanks in advance,
-AdamBizTalk Server is only going to use the User Groups created in Domain Controller so ideally i don't think there will be any compatibility issue. Also there isn't any microsoft article which talks about BizTalk compatibility with respect to domain controller.
You will have to create all the Windows Groups and User Accounts in AD, before BizTalk Server configuration.
Windows Groups and User Accounts in BizTalk Server
Thanks,
Prashant
Please mark this post accordingly if it answers your query or is helpful. -
Windows Server 2008 R2 Domain Controller NOT logging EventID 4740
EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
i have checked thus far.
>Windows Server 2008 R2 Domain Controller
>Verified the following GPO settings are set and correct:
>Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
>Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
>Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
>No 4740 entries in the netlogon.log debug file
AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
Thanks, ChicoHi Chico,
I suggest you try to enable this group policy below:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
More information for you:
Missing 4740 EventID's
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
If you have multiple Domain Controllers, check this event on other DCs, too.
Please feel free to let us know if there are any further requirements.
Best Regards,
Amy Wang -
Exchange 2007 RTM support with Windows Server 2012 R2 Domain Controller
Hi All,
I have not found any TechNet Article which states about the Windows Server 2012 R2 Active Directory domain controller operating system support with Exchange 2007 RTM, can some one please let me know that does Exchange 2007 RTM supports Windows Server 2012
R2 domain controller operating system, we are in the process of upgrading the domain controllers to 2012 R2 but not the forest and domain functional level to 2012 R2.
thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft LyncThere are several likely reasons for this. The most significant is that Exchange 2007 RTM is no longer supported (outside ot extended support, which is not going to include adding support for new operating systems):
http://support2.microsoft.com/lifecycle/default.aspx?LN=en-us&p1=10926
You'll note from the following -
http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx - that only Exchange 2007 SP3 is currently supported in any environment.
HTH ... -
Server 2012 Secondary Domain Controller not picking up AD nor DNS responsibilities
I had a single Domain Controller providing AD, DNS and DHCP. I went through the steps to add a Secondary Domain Controller. All the AD and DNS info shows up in the Secondary Server, however, when my original Domain Controller is turned
off, the second Domain Controller is not taking over for AD and DNS.Hi Bayousmurf,
Good that you made some progress. However, can you please provide us the information on how you acheived transfering FSMO role to another DC since you had some issue earlier?
Your initial intention was to demote the original DC. Please follow the below link for the steps to demote the DC.
http://technet.microsoft.com/en-in/library/jj574104.aspx
Still if I power off the original DC the new one isn't taking up DNS. Still looking into the DNS...
Can you please elaborate what exactly you are looking for? When you power off original DC, you don't see DNS in new DC? Is your DNS active directory integrated? If not please follow the below procedure to make it as a AD integrated. Once done, then, power
off original DC and look in new DC to see if DNS shows up.
http://www.tomshardware.com/faq/id-1954324/configure-active-directory-integrated-dns-zone-windows-server-2012-dns-server.html
Thanks,
Umesh.S.K -
Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain
Hi,
Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
We now want to replace these DC`s with Windows Server 2012 R2.
My plan is as follow
- Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
- Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
- Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
- Move FSMO roles from DC2 to DC1 and decomiss DC2
- Change the IP and hostname of the new DC4 to DC2
Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
/Regards AndreasHi,
Only error i got running dcdiag was the following
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=local
......................... DC1 failed test NCSecDesc
Is this a problem ?
I would guess not since im not implementing a RODC ? Ref:
https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
You can ignore it.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Deploy Windows Server 2012 R2 domain controller in 2008 domain
Hi,
We have three physical windows 2008 enterprise with SP1 32 bit domain controllers, we need to deploy two additional windows 2012 R2 standard as virtual machines on this domain. Do we need to install SP2 on the existing Windows 2008 sp1 DCs or we are fine?
What are other requirements?It is not required.
Just your Forest/Domain Functional level should be Windows Server 2003 or higher to be able to add Windows Server 2012 R2 DCs.
Please note that it is always recommended to have your Windows Operating Systems up-to-date to avoid known security attacks and known bugs.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Server 2012 secondary domain controller or Hyper-v Live replication
Hi all,
For a client am i building new servers.
The setup is simply, two Hyper-v servers and one fileserver.
But, what would be the best setup to do with the DC?
I can install a secondary DC, but i can also choose to make a live replication of the DC in Hyper-V.
What is the best, more important the safest option to choose?
Of course there is a backup running twice a day to make a full backup of the VM's.
Thanks in advance,
PatrickHonestly, I would recommend standing up a secondary DC. The problem with replication is if something get's hosed on the primary side of things you typically only have a limited amount of time before the bad changes get replicated over to the replica.
It's also a best practice to have multiple DC's for redundancy in your environment. -
Hi,
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
DC:windows Server 2008 R2
Domain functional level:Windows Server 2003
When Winxp join domain, have no this error message.
I checked http://support.microsoft.com/kb/2018583?wa=wsignin1.0 does't work.
There have 3 suggestion in this article:
1.The "Disable NetBIOS over TCP/IP" checkbox has been disabled in the IPv4 properties of the computer being joined.
Doesnt's work.
2.Connectivity over UDP port 137 is blocked between client and the helper DC servicing the join operation in the target domain.
On my DC, I run netstat -an, reslut as below:
UDP 192.168.20.3:137 *:*
3.The TCP/IPv4 protocol has been disabled so that the client being joined or the DC in the destination domain targeted by the LDAP BIND is running TCP/IPv6 only.
We are not using IPV6.
This server recently updated from Windows Server 2003 to Windows Server 2008 R2. Before upgrade, when Win7 and Win2008 join this domain, also have the same error message.
Please help to check this issue.
Thank you very much.
BR
Guo YingHuiHi Guo Ying,
I have faced this critical error which makes over-writes the host names in the domain when you join.
For example: Already you had a host name called as PC.domain.com in the domain.com Domain.
When you try to add the another host name called as PC in the domain.com Domain, it doesn't give you the duplicate name error on the network it does over-write the existing host name called as PC.domain.com & it will add the new host name into the domain.
Host name which got over-written will get removed from the domain. I faced this issue in my project. My DPM host name got removed from the Domain & new host name got joined into the domain which halted my backups for one day.
Final Resolution is as follows:
You need to start the dns console on the DC & drop down the domain name.
Select the _msdcs when you click on _msdcs it will show the Name Server's list on the right hand side.
You need to add the Domain Naming Master under the _msdcs or add all the domain controllers which you had.
After you add the Name server's try joining the PC OR Laptop to the domain which is successfully joins it.
Regards
Anand S
Thanks & Regards Anand Sunka MCSA+CCNA+MCTS -
Secondary domain controller not able to connect from work stations.
We are using primary and secondary domain controllers. In which the secondary domain controller act as a replication server. actually the problem occurs while accessing the secondary domain controller from work stations I get the following error:
"The trust relationship between this workstation and the primary domain failed".
Any one please give as a solution.
Thank you.Hi,
Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain.
There might be multiple reasons for this kind of behavior.
Here are a few of them:
Single SID has been assigned to multiple computers.
If the Secure Channel is Broken between Domain controller and workstations
If there are no SPN or DNS Host Name mentioned in the computer account attributes
Outdated NIC Drivers.
According your description, the second one may be the cause of your problem.
When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required).
Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.
If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other.
A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting
to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.
Follow below link which explains typical symptoms when Secure channel broken,
Typical Symptoms when secure channel is broken
http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
For detailed information, please refer to the link below,
Troubleshooting AD: Trust Relationship between Workstation and Primary Domain failed
http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx
Hope this helps.
Steven Lee
TechNet Community Support -
Secondary Domain Controller Not Authenticating Domain Users
Hi.
I have a primary domain controller running Win Srv 2012 in USA and i added a secondary domain controller 2012 in the same domain from a different location India, through VPN.so that India user accounts can authenticate by the secondary DC instead of primary
DC USA
Installation & replication of AD went fine
India domain users login is damn slow.
When i ran the command echo %logonserver% from a india client machine,it displays the USA Primary DC name which means its authenticating the users from USA primary DC.
Preferred DNS for india client machine is Secondary DC IP and alternate is Primary DC IP USA.
Please find the dcdiag results below and any help much appreciated
Performing initial setup:
Trying to find home server...
Home Server = server2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: INDIA\server2
Starting test: Connectivity
......................... server2 passed test Connectivity
Doing primary tests
Testing server: INDIA\server2
Starting test: Advertising
Warning: DsGetDcName returned information for \\server1.tst.mycompany.com, when we were trying to reach
server2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... server2 failed test Advertising
Starting test: FrsEvent
......................... server2 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after th
replication problems may cause Group Policy problems.
......................... server2 failed test DFSREvent
Starting test: SysVolCheck
......................... server2 passed test SysVolCheck
Starting test: KccEvent
......................... server2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... server2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... server2 passed test MachineAccount
Starting test: NCSecDesc
......................... server2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\server2\netlogon)
[server2] An net use or LsaPolicy operation failed with error 67,
......................... server2 failed test NetLogons
Starting test: ObjectsReplicated
......................... server2 passed test ObjectsReplicated
Starting test: Replications
......................... server2 passed test Replications
Starting test: RidManager
......................... server2 passed test RidManager
Starting test: Services
......................... server2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0xA004001B
Time Generated: 02/22/2015 17:10:30
Event String: Intel(R) 82574L Gigabit Network Connection
A warning event occurred. EventID: 0x000727A5
Time Generated: 02/22/2015 17:11:24
Event String: The WinRM service is not listening for WS-Manageme
An error event occurred. EventID: 0x0000271A
Time Generated: 02/22/2015 17:11:24
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not regist
A warning event occurred. EventID: 0xA004001B
Time Generated: 02/22/2015 17:12:41
Event String: Intel(R) 82574L Gigabit Network Connection
A warning event occurred. EventID: 0x000003F6
Time Generated: 02/22/2015 17:19:36
Event String:
Name resolution for the name mycompany.com timed out after none
A warning event occurred. EventID: 0x00001796
Time Generated: 02/22/2015 17:28:54
Event String:
Microsoft Windows Server has detected that NTLM authentication i
his server. This event occurs once per boot of the server on the first time
A warning event occurred. EventID: 0x000727A5
Time Generated: 02/22/2015 17:33:35
Event String: The WinRM service is not listening for WS-Manageme
A warning event occurred. EventID: 0x00001796
Time Generated: 02/22/2015 17:35:54
Event String:
Microsoft Windows Server has detected that NTLM authentication i
his server. This event occurs once per boot of the server on the first time
......................... server2 failed test SystemLog
Starting test: VerifyReferences
......................... server2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValida
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValida
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidat
Running partition tests on : tst
Starting test: CheckSDRefDom
......................... tst passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... tst passed test CrossRefValidation
Running enterprise tests on : tst.mycompany.com
Starting test: LocatorCheck
......................... tst.mycompany.com passed test LocatorChec
Starting test: Intersite
......................... tst.mycompany.com passed test IntersiteHi.
I have a primary domain controller running Win Srv 2012 in USA and i added a secondary domain controller 2012 in the same domain from a different location India, through VPN.so that India user accounts can authenticate by the secondary DC instead of primary
DC USA
Installation & replication of AD went fine
India domain users login is damn slow.
When i ran the command echo %logonserver% from a india client machine,it displays the USA Primary DC name which means its authenticating the users from USA primary DC.
Preferred DNS for india client machine is Secondary DC IP and alternate is Primary DC IP USA.
Firstly make sure that you have configured sites and subnets correctly. According to your information which you have two locations, you should have at least 2 sites and 2 subnets associated to them. If you have forgotten to configure subnets of India in your
site and services and assigned them to the India site you are experiencing this issue. Also make sure if clients in India has appropriate network connectivity to the domain controllers in India.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Upgrading Domain Controller Questions
Hello, we currently have 2 domain controllers in our environment, both with Server 2003 R2. We are looking to upgrade them one at a time to 2008 R2 but I have some questions.
Here's the environment:
Server 1 (the one we are going to upgrade first):
Server 2003 R2
Domain Controller
DHCP Server
DNS Server
Server 2 (we will be upgrading this in the near future but not just yet):
Server 2003 R2
Domain Controller
DHCP Server
DNS Server
File Server with most of the company data
We also have DNS replication set up between the two servers.
My questions:
Will we run into any issues having two domain controllers with different Operating Systems?
We would like for the domain controllers to keep the same names and IP's. Any issues with that?
How will we stop, then re-setup DNS replication between the two servers?
Any other 'gotcha's' we should be aware of?
Dan Chandler-KleinI don't see any reason why not keeping old name and IP.
Before upgrading make sure AD has no issues:
look at the event viewer, run DCDiag, replication runs clean (repadmin /showrepl) etc.
OS has no warning/errors.
Not must but I would move the FSMO roles to another DC before demote.
Make sure applications installed on the new DC's (AV\Backup agents etc.) support Windows 2008 R2 OS.
Make sure all your network applications in your environment support working with Windows 2008 R2 DC - I recommend test it in lab first.
Make sure that the DC you are about to demote not holding CA role.
Most important:
Make sure you successfully demote the old DC and no records left in DNS.
I'm not agree with evrimicelli about DC's naming and I wouldn't go for CNAME record - this can get you in many troubles in the future.
after demote the old DC, I would rename it or remove it from the domain, than you can rename the new server with old Dc name and promote it to DC with old DCs' IP address.
I didn't understand the question about DNS replication.
What kind of DNS zone do host? if its AD integrated (and thats what you should have), you don't need to configure any replication, AD integrated DNS zone replicate as part of AD replication between your two DC's.
Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks. -
Which Server Version for Domain Controller do I Need
Hello
We are currently running two domain controllers with Server 2003 on them. We have a standard TCP/IP star topology networking including web servers, files servers, sql, iis etc.
We are upgrading 5 of our servers to 2012r2 and are using them as "host" servers for upgraded IIS (2012r2) and WebGrabber (2008r2) servers and these servers will be set up as virtual machines (the IIS and web grabbers) on the hosts.
My question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
Thanks!
Theresa Greene
Theresa GreeneMy question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
At least Windows Server 2012
I highly recommend to upgrade the Domain Controllers to at least Windows Server 2012.
Besides the new functionality described by others in this thread, Windows Server 2012-based Domain Controllers (and beyond) offer virtualization safeguards, building on the VM-GenerationID offered by your new virtualization platform. This functionality helps
to protect your Domain Controllers from USN rollbacks and Lingering Objects. It also unlocks the Domain Controller Cloning functionality, that may help you deploy your five Domain Controllers faster and more streamlined.
More information:
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe
Active Directory
New features in AD DS in Windows Server 2012, Part 13: Domain Controller
Cloning
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
1
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
2
Getting to Windows Server 2012
In terms of getting your Active Directory to Windows Server 2012, there's good news and slightly bad news. The bad news is you can't in-place upgrade your Domain Controllers to Windows Server 2012. The good news: This makes the transition scenario
more appealing.
Instead of upgrading your Domain Controllers on their physical hardware, and, then, convert them to virtual machines, you can build new virtual Windows Server 2012 Domain Controllers, while your Windows Server 2003 Domain Controllers remain running.
Then, when you're ready to get rid of your Windows Server 2003 Domain Controllers, you simply demote them and remove them from your network. I've written a detailed step-by-step on this:
Transitioning your Windows Server
2003 Domain Controllers to Windows Server 2012 -
Configuring group policy for user profiles in Windows Server 2012 R2 Domain
Requesting some experts advise on configuring group policy for user profiles.
We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
The settings which I am concerned:
1. Folder Redirection: Desktop, Documents, Favorites.
2. Quota for Folder Redirection - 1 GB per user.
3. Map a networked drive - 1 GB per user.
4. Roaming profile - (Will ignore if it does not suit our requirement).
The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
Thanks a lot for your valuable time and efforts.Hi,
>>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
This depends on where our outlook data files are stored. If these data files are stored under
drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
However, regarding your question, we can refer to the following thread to find the solution.
Roam outlook profiles without roaming profiles
http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
Hope it helps.
Best regards,
Frank Shen -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen
Maybe you are looking for
-
My old computer has died. How can I retreive my itunes library and playlists to put on my new computer? I don't think it was saved in cloud. Does itunes have this info that I can get?
-
Hi, I'm new to PL/SQL XML programming. I have difficulty in getting the childnode name and its value. Can you please give me a code snippet about this? Below is my XML sample. <INFORMATION> <ADDRESS> <CITY>NEW JERSEY</CITY> </ADDRESS> <ADDRESS> <CITY
-
Rman level 1 is taking same time as level 0 in oracle 9i
Hi experts, what is exact difference b/w incremental backup(level 1) in oracle 9i/10g, out prod db is oracle 9.2.0.8, we are planing to implement rman on production but we have tested one of test db, but it has taken same time as full backup(level 0)
-
I have couple of jsf pages in adfc-config. Also, I have a bounded task flow. I want to invoke this bounded tf after users entered data in those unbounded tf pages. Thank you.
-
How do you get firefox not to report personal information
A federal Goverment Agency posted some of my personal information on the web and is doing so illigally in violation of the privacy act, and other reporting laws, can some one tell me how to get Fire Fox not to report this illegal information ?