10.5.7 server as primary domain controller
Setting up a 10.5.7 server -
Server is setup as a open directory master, I want it also to be a primary domain controller (smb).
But when I try to change it from Standalone Server to primary domain controller, using my directory admin user id and password, it just reverts back to standalone server. tried it with smb running and not running.
Any ideas ?
Having the same issue with Leopard Server 10.5.8.
SMB was previously set up as a "Domain Member" and now I want to make it a "Primary Domain Controller".
After reboot, the Role always reverts back to "Domain Member".
Any ideas?
Similar Messages
-
Sun Directory Server as Primary Domain Controller.
Hello,
I've recently installed Sun Directory Server, Access Manager, and DSEE Identity Manager, on CentOS 5.2, with success, but my question is:
Can I use this directory as a primary domain controller for my network, I want to know if it is possible to integrate this directory in the same way that Active Directory works, I mean connecting Windows computers to the DC with some kind of connector (because windows won't connect to another directory than AD natively). I know that there are some MSGina replacements, like pgina, but I'm looking for some serious solution, especially for computers running Windows Vista.
Thanks in advance.Hi,
thanks for your answer, but.. there is a way to configure the DSEE to be like a native 2000/2003 Active Directory?, I mean, connecting directly to the DSEE without using Samba, I know that is possible to use that solution, but you lose some functionality.
I've been trying to do some research about the topic, like modifying the bind DNS to act like a AD DNS, and it works at a certain grade, windows xp detects the SVR records but when it tries to connect to the directory it fails giving me an error telling that the DC isn't available. It will be great to make such environment, Windows XP / Vista connected to DSEE without third party software.
Any comment would be greatly appreciated.
Thanks. -
Solaris 11 server as Primary Domain Controller
Hi,
All of our servers run Solaris (currently 10, but looking to upgrade to 11). In each of our offices we have one server configured as a Primary Domain Controller via Samba to provide naming services to our Windoze users. I would like to continue with that arrangement, but I would also like to leverage the built-in SMB/CIFS support.
My question is this: is this an either/or proposition? That is, if I want to run my server as a PDC, does that mean I use the traditional Samba implementation and cannot use the built-in SMB/CIFS services?
I've reviewed the Solaris docs, but I don't see any mention of this topic.
Thanks,
BillWell, they have an entire manual dedicated to the SMB/CIFS services in S11 ( [Oracle Solaris Administration: SMB and Windows Interoperability|http://docs.oracle.com/cd/E23824_01/html/821-1449/index.html] ). In that manual, they go into great detail on how to configure your S11 server as a member of an AD domain or a Windoze workgroup using the built-in SMB/CIFS support (which sounds a lot like the white paper you reference). The PDC technique is a pre-AD concept (WinNT) that Samba 3.x does a nice job of emulating (I've been using it since at least Solaris 9, and maybe even 8?). The Samba docs dedicate an entire chapter to using Samba 3.x as a domain controller ([Chapter 4. Domain Control|http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html]).
Yes, AD is LDAP+Kerberos, and that's what making a S11 server a member of the AD domain leverages since the PAM modules that are included with Solaris support both. The problem is that we don't run any Windows Server machines (licensing costs are ridiculous if all you need it for is an AD server). The PDC approach with Samba is a very affordable, flexible alternative to running a WIndows server. The aforementioned chapter in the Samba documentation references AD, and says that the Samba Domain Control feature is not AD (and may never be).
Thanks for your reply.
Bill -
Adding a Server 2008 R2 Domain Controller at a remote site
Hello. I have been trying to set up a hot site at a remote location. The story is long and involved but a few weeks ago it seemed to be finally working. Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take.
The hot site is the same except that so far I only had one server working. The two sites connected via site to site VPN.
About a week later our primary server basically crashed. At first it worked but very slowly. I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting.
It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message). He then discovered that the server at the remote site had some fsmo roles assigned to it. He transferred
the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem. The way I originally set up the remote server was to use an IFM file, generated
from our primary. This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
The remote server(s) are wanted to be in the same domain as the primary. They will also be mirrored from the primary (with Double Take). If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
(after a fail over). I freely admit that I am swimming out of my depth here. I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers. I am looking for information about what
went wrong, and whether some other setup is more desirable.
Thanks for any help, Russ
RussPhilippe, thank you for you answers. I do not understand everything you said but I will address each point as best I can:
1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?" Yes, but I use the method described at
http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method. At step #8 I specified to use advanced mode so I could use the IFM file.
2. "In your AD' Site and Service MMC, do you configured the remote site ?" R do not know what you mean by this. How does one configure the site as 'remote'?
3. "Do you added that remote server as a Global catalogue ?". Yes, when I built the IFM file I specified to add the global catalog.
4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash." I am not sure I understand this item. After the remote server
was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain. I do not recall if the new items were last, but I expect that they would be.
I have since reviewed the happenings with my associate and have a little more information. The order of the problems and the actions taken are:
1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site. Rebooting the production server took over 25 minutes and the server to came up saying
that domain information was not available. After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil. I would expect that if the role was not held by the remote, the transfer command would have
shown that fact.
3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
4. He forcefully demoted the remote server.
5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller. However nothing I have read says that this should happen. I hope someone
here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
Thank you, Russ
PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
Russ -
Hi,
I have Windows Server 2008 Enterprise and have
2 Domain Controllers in my Company:
Primary Domain Controller (PDC)
Additional Domain Controller (ADC)
My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
(5) FSMO Roles from (PDC) to (ADC).
Now my (PDC) is rectified and UP with same configurations and settings. (I did not install new OS or Domain Controller in existing PDC Server).
Finally I want it to move back the (FSMO Roles) from
(ADC) to (PDC) to get UP and operational my (PDC) as Primary.
(Before Disaster my PDC had 5 FSMO Roles).
Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
Example like (FSMO Roles Distribution between both Servers) should be……. ???
Primary Domain Controller (PDC) Should contains:????
Schema Master
Domain Naming Master
Additional Domain Controller (ADC) Should contains:????
RID
PDC Emulator
Infrastructure Master
Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
I will be waiting for your valuable comments.
Regards,
Muhammad DaudHere I want to know the best practice
and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
In case if
Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
There is two approaches that can be followed when an FSMO roles holder is down:
If the DC can be recovered quickly then I would recommend taking no action
If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Biztalk 2013 R2 with Windows Server 2003 R2 Domain Controller
Hello, I have a client right who has a Windows Server 2003 R2 domain controller with active directory installed. Is there any reason why I can't install Biztalk 2013 on a Windows Server 2012 R2 box and add it to that farm to use active directory?
Thanks in advance,
-AdamBizTalk Server is only going to use the User Groups created in Domain Controller so ideally i don't think there will be any compatibility issue. Also there isn't any microsoft article which talks about BizTalk compatibility with respect to domain controller.
You will have to create all the Windows Groups and User Accounts in AD, before BizTalk Server configuration.
Windows Groups and User Accounts in BizTalk Server
Thanks,
Prashant
Please mark this post accordingly if it answers your query or is helpful. -
Windows Server 2008 R2 Domain Controller NOT logging EventID 4740
EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
i have checked thus far.
>Windows Server 2008 R2 Domain Controller
>Verified the following GPO settings are set and correct:
>Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
>Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
>Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
>No 4740 entries in the netlogon.log debug file
AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
Thanks, ChicoHi Chico,
I suggest you try to enable this group policy below:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
More information for you:
Missing 4740 EventID's
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
If you have multiple Domain Controllers, check this event on other DCs, too.
Please feel free to let us know if there are any further requirements.
Best Regards,
Amy Wang -
Exchange Server 2013 and Domain Controller
Hello,
I am planning to install domain controller and exchange server 2013 in same server hardware. Is that not recommended? If not, why is it no recommended?
Thank you in advance,thanks for such a quick response.
Just a small question about the link that you put. Does member server mean other server other than domain controller?
Regards,
Yes, Also the server on which you are installing Exchange should have exchange installed.
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Promote this server to a domain controller still appears
Hi All, I've change one DC 2003 with a new DC 2012 in my forest (I've 4 DC e 3 sites) following these steps:
1 - Demote DC 2003
2 - Remove DNS 2003 Role
3 - Rename e change IP on Server 2003
4 - Waiting and verify replica
5 - Give the same Hostname and IP of Server 2003 to New DC 2012
5 - Add Role AD Directory Service and when finished I use the notification "promote this server to a domain controller" to promote it to a member domain controller.
6 - After reboot the notification STILL APPEARS, but it result as a DC and all work fine.
Any help me?
ThanksHi Federico,
Can you please confirm, whether you are seeing the notification as given in the below screenshot,
This notification implies that “Active Directory Domain Services” role binaries have been installed and now it is time to promote the server to a Domain Controller.
Checkout the below link on Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller,
http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
Regards,
Gopi
www.jijitechnologies.com -
Unable to edit Default Domain policy on Server 2012 R2 domain controller
Hello,
I recently built a Server 2012 R2 domain controller and added it to my domain. When trying to edit the default domain policy I get the following error:
I can make edits to other GPO objects. All the other domain controllers are Server 2008 and are able to edit that GPO. The issue is on the Server 2012 box only. I've checked the delegated permissions, I'm a domain admin, and have opened
GPMC as administrator. Does anyone know what I'm missing? Thank you for your time.
TinoHi Tino,
>>Could that be the problem?
I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
function level is Windows Server 2008 or above.
Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
DFS-R on 2008 R2 by default?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
Server 2012. This will restore the Sysvol from a healthy DC.
To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs.
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double-click BurFlags.
8. In the Edit DWORD Value dialog box, type D2 and then click OK.
9. Quit Registry Editor, and then switch to the Command box.
10. In the Command box, type net start ntfrs.
11. Quit the Command box.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Hope it helps.
Best regards,
Frank Shen -
Exchange 2007 RTM support with Windows Server 2012 R2 Domain Controller
Hi All,
I have not found any TechNet Article which states about the Windows Server 2012 R2 Active Directory domain controller operating system support with Exchange 2007 RTM, can some one please let me know that does Exchange 2007 RTM supports Windows Server 2012
R2 domain controller operating system, we are in the process of upgrading the domain controllers to 2012 R2 but not the forest and domain functional level to 2012 R2.
thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft LyncThere are several likely reasons for this. The most significant is that Exchange 2007 RTM is no longer supported (outside ot extended support, which is not going to include adding support for new operating systems):
http://support2.microsoft.com/lifecycle/default.aspx?LN=en-us&p1=10926
You'll note from the following -
http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx - that only Exchange 2007 SP3 is currently supported in any environment.
HTH ... -
Exchange server-Removing a Domain Controller from the forest
Hi Guys,
I need some help on removing a faulty domain controller from the AD forest. Here is the scenario:
1. The FSMO roles have been seized to a new domain controller already.
2. The old one is non-functional and is down for ever.
I know the steps would be doing a meta-data cleanup And then remove some of the DNS entries related to the old server. But the real issue is:
> I have Exchange 2013 running in one of the machines configured in the Forest, which was migrated from the old Domain controller. I then set Exchange listening to the new domain controller.
So, my doubt is, if I delete the old domain controller and do a metadata cleanup, would it have any effect on the exchange server? The Exchange machine acts as an additional domain controller as well. Its a production environment and any
change that affects Exchange would cause a big loss. Looking forward for your valuable suggestions..
Regards,
NashHi Ed,
I don't have issues with the AD on the Exchange server. Eventhough it is configured as an AD, Exchange is pointed to the main working domain controller, which is a different machine. I just want to remove the traces of an old domain controller from which
I transferred the FSMO roles to the new domain controller. The old domain controller is completely down and hence I can't do a conventional 'dcpromo' on it. So just planning to do a 'metadata clean up' for removing the non-working DC from the forest.
So, In essence, I just want to know that, if I do a metadata cleanup, would it affect the Exchange server in any way?
Regards,
Nash -
Promoting a server to a Domain Controller
Quick question - I am just trying to satisfy my curiosity.
I was reviewing our network at our new company and it looks like I have a Domain Controller using a DHCP address.
I know best practice is to use a static address, but is it even possible to promote a server using that is using a DHCP address?
ThanksYes, it is possible to promote a DC using a DHCP address. You will receive a warning that says that you are not using a static IP when promoting your DC.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Server 2012 Secondary Domain Controller not picking up AD nor DNS responsibilities
I had a single Domain Controller providing AD, DNS and DHCP. I went through the steps to add a Secondary Domain Controller. All the AD and DNS info shows up in the Secondary Server, however, when my original Domain Controller is turned
off, the second Domain Controller is not taking over for AD and DNS.Hi Bayousmurf,
Good that you made some progress. However, can you please provide us the information on how you acheived transfering FSMO role to another DC since you had some issue earlier?
Your initial intention was to demote the original DC. Please follow the below link for the steps to demote the DC.
http://technet.microsoft.com/en-in/library/jj574104.aspx
Still if I power off the original DC the new one isn't taking up DNS. Still looking into the DNS...
Can you please elaborate what exactly you are looking for? When you power off original DC, you don't see DNS in new DC? Is your DNS active directory integrated? If not please follow the below procedure to make it as a AD integrated. Once done, then, power
off original DC and look in new DC to see if DNS shows up.
http://www.tomshardware.com/faq/id-1954324/configure-active-directory-integrated-dns-zone-windows-server-2012-dns-server.html
Thanks,
Umesh.S.K
Maybe you are looking for
-
I have an MacBook Pro 10.6, using disk utility I tried to verify my disk, but it came up with the message, please use your start up disk, I tried this, starting the computer up and pressing C, but it ejected the disk, the same thing happened while I
-
I have an issue. All the sounds work fine but sometimes I put it into silent mode because of a meeting. When I switch it out of silent mode though, the text message sound doesn't always reappear although the ring tone does. It doesn't always happen b
-
Can a workflow e-mail notif. only show fields that have changed?
I'd like to send an e-mail to an end user whenever any field in a Solution has changed. The e-mail notification workflow for my Solution works and starts out like this: (PRE('<ModifiedDate>') <> [<ModifiedDate>]) AND... However, I run into max charac
-
Java Memory Management/Out of Memory
Hi Guys, I have a few questions about java memory management Because i keep encounter a lot of out of memory error which i think java does not handle Vector/ArrayList re initialisation automatically Asumme i have 2 million record in database and , i
-
HTT ratio, what does it do?
I'm new at this A64 stuff so bear with me. As far as the cpu multipler and FSB speeds go I understand, but the HTT stuff thrown in the mix is confusing me. When the HTT is set to 1x, 2x, etc what is it actually changing and why would I want to ch