Downgrade of Windows 2012 r2 to Windows 2012 Domain Service Active Directory
I have an uncertainty. we used adprep /forest and adprep /domain tools on windows 2012 R2 to update the domain active directory. But after promoting a domain controller to windows 2012 R2, we realized that a tool we use to authenticate computer account not
supported for domain controllers in Windows 2012 R2. Here comes the question, I can to install direct and promote a domain controller windows 2012 without running the adprep /forest and adprep /domain tools of Windows 2012?.
I hope be clearly.
tks.
migrations
Hello,
as others mentioned there is no problem to promote a Windows Server 2012 into the domain as the functional level is fine for this.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Similar Messages
-
Windows Server 2008 R2 - Active Directory Replication over DynDNS
Hello,
I have one server that Windows Server 2008 R2 - Active Directory / DNS
Now some users shifted to new office with the server
Some users still in the original place that now don't have ADDS/DNS
i want to install one replication server in the original place to retrieve AD/DNS form new office via DynDNS
is that possible of not?
Best regards,Badr, I don't think you want AD replication occurring over the internet - even if that was possible the server would need access to all the SRV records, a records, And all the ports required for communication - See here for an exhaustive list
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx - I don't think I have to tell you how bad opening all these ports to the internet would be.
You may want to look at Setting up a vpn or DirectAccess from the original site to the new site. This will give you more security and generally won't cost to much.
http://technet.microsoft.com/en-us/network/dd420463.aspx
Another thing that may work for you would be if you setup remote desktop services in the new location and had the original location remote into via a gateway server -
http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx as a starting point. With RDS your users would be able to access the new location from anywhere, although there would be upfront costs associated,
licensing and server being part of them - I don't recommend turning your domain controller into an RDS server.These are just some ideas to help you with your issue -
I have a user that all of a sudden was not able to open 70% of her files located on a file server, Windows Server 2003 running Active Directory, from her laptop. The same user can access all the same files from a different machine, logging on with the same
credentials. Just looking for a point in the right direction and a possible theory as what could cause this problem, an why all of a sudden. I did go back through the logs but nothing sticks out. For the most part the logs on the server and the laptop are
pretty clean.
Both machines are Latitude E5420s running Windows 7 Enterprise Service Pack 1. Both machines are 64bit and connect to the network via hard-wire, not wireless.
Thanks in advanced.
GrajekI would recommend proceeding that way:
Check that your DCs are in a healthy state and AD replication is fine: It might be that the user is member of security groups and the membership is not getting replicated properly which can cause this random behavior. You can use
dcdiag and repadmin for checks and you can refer to my recommendations here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
Make sure that the file server is reachable from the user client computer. Start with
ping and nslookup. Also, you need to make sure that the traffic between the client and the server is not blocked or filtered. You might want to temporary disable security software for testing
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
VDI 3.4 Inegrate with Windows Server 2008 R2 Active Directory
OK,I follow the official documents step by step,I installed the vdi 3.4 in Oracle Linux 5.7(oraclevdi.jiayutester.com),then installed a window server 2008 r2 64bit(jiayudc.jiayutester.com) that made it to be the Domain Controller(jiayutester.com) and DNS,at the end,I edit the /etc/krb5.conf.I execute the following commands:
1.getent hosts jiayudc.jiayutester.com
--------------------My Note:Normal-----------
2.kinit -V [email protected]
Authenticated to Kerberos v5
This is my krb5.conf------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = JIAYUTESTER.COM
default_checksum = rsa-md5
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
JIAYUTESTER.COM = {
kdc = space-21pel8ghu.jiayutester.com
admin_server = space-21pel8ghu.jiayu.com:749
default_domain = jiayutester.com
[domain_realm]
.jiayutester.com = JIAYUTESTER.COM
jiayutester.com = JIAYUTESTER.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
Then,I login to the web console to set company, I select Active Directory to use as User Directory,then I fill up all the needed information(I am sure that all the information I fill in the form is correct),when I click the next,error occured....it's the context:
Unable to Connect to User Directory
Failed to connect, no servers available
Now,I searched everywhere for information,but I can't resolve the problem...Please help me,smart guysWould probably need to see your VDI instance cacao log file to see why this is failing, but you might need to add the following to [libdefaults] section of your krb5.conf file, for 2008R2 AD server:
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
And then restart VDI services (/opt/SUNWvda/sbin/vda-service restart)
Note that VDI will actually try to query individual AD servers as defines as part of your AD Global Catalog when it tries to lookup AD domain data. This means you need to verify that your global calalog referenced servers are valid and having matching forward and reverse DNS information:
For example:
$ *nslookup -querytype=any gc.tcp.vdi.com.*
Server: win2008.vdi.com
Address: 192.168.1.100#53
gc.tcp.vdi.com service = 0 100 3268 win2008.vdi.com*.
$ nslookup win2008.vdi.com.
Server: win2008.vdi.com
Address: 192.168.1.100#53
Name: win2008.vdi.com
Address: _192.168.1.100_
r$ nslookup 192.168.1.100
Server: win2008.vdi.com
Address: 192.168.1.100#53
100.1.168.192.in-addr.arpa name = win2008.vdi.com.*
You'd want to verify that every record returned by the *nslookup -querytype=any gc.tcp.yourdoamin.com* command refers to a server that can be reached and has matching forward and reverse DNS. Otherwise, this may trigger VDI to have failures or delays in performing directory queries.
Beyond that, you need to look in the cacao.log file for errors that you can find and post.
Edited by: DoesNotCompute on Oct 13, 2012 11:48 AM -
Sccm 2012 extent the active directory schema error
Hello
I am experiecing an issue when attempting to extend my AD Schema for SCCM 2012
<12-10-2014 20:04:33> Modifying Active Directory Schema - with SMS extensions.
<12-10-2014 20:04:33> DS Root:CN=Schema,CN=Configuration,DC=,DC=com
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Assignment-Site-Code. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Site-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Roaming-Boundaries. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Default-MP. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Device-Management-Point. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Name. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-MP-Address. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Health-State. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Source-Forest. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-Low. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=MS-SMS-Ranged-IP-High. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Version. Error code = 8224.
<12-10-2014 20:04:33> Failed to create attribute cn=mS-SMS-Capabilities. Error code = 8224.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Management-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Site. Error code = 8202.
<12-10-2014 20:04:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8202.
<12-10-2014 20:04:33> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".
any one help me to fix this issueHi,
It is most likley due to a replication Issue in your AD, check the previous thread on the topic:https://social.technet.microsoft.com/Forums/systemcenter/en-US/1d377109-4fa9-4608-8a3a-cefd436e82ee/error-8224-when-extending-active-directory-schema
Make sure that all replication issues are solved and try again.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Windows Server 2008 R2-Active Directory
Hi ,
I cloned a machine using VMware VSphere 5.1 and did not use sysprep during cloning. The original source machine disappeared from Windows Active Directory. Is there anyway to get the object back ? I also deleted the cloned Virtual machine .
Thanks in advance.
Pro1962
India1947You can use my script here: https://gallery.technet.microsoft.com/scriptcenter/Remove-Inactive-user-2caf199a
All you need to change is
(objectCategory=person)(objectClass=user)
by
(objectCategory=computer)
and add a comment at the beginning of the command Remove-ADUser.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Windows Server 2012 R2 - Join Domain fails (Active Directory)
Well guys - I don't know what to do about this problem anymore...
I set up a DC for my home network - Windows Server 2012 R2 Foundation. Everything is set up fine - DNS, AD - I suceeded joining the domain with other PCs in the network.
Problem:
When I want to join the domain "lionnet.at" it tells me that it cannot find the network address after I typed in the domain admin password.
The dns entries are fine - checked it with nslookup. The DC name is lionhead.
nslookup:
set q=srv
> set q=srv
> _ldap._tcp.dc._msdcs.lionnet.at
Server: lionhead.lionnet.at
Address: 10.0.0.150
_ldap._tcp.dc._msdcs.lionnet.at SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = lionhead.lionnet.at
lionhead.lionnet.at internet address = 10.0.0.150
I tried several solutions: editing the lmhosts/hosts file, deactivating IPv6, setting a static IPv4
Any ideas on this?what the hell...it was an external soundcard preventing the join...i installed it a week ago - unplugged it - "Welcome to the domain lionnet.at!"
Hi CloneBraveB,
Glad to hear that you have solved this issue and thanks for sharing in the forum. Your time and efforts are highly appreciated.
Would you please let me know the complete error message that you get when failed to join the problematic client computer to the domain?
In addition, for a test, please select another computer and install the external soundcard again, then attempt to join the computer to domain. Did you reproduce this issue?
By the way, would you please let me know more details of that soundcard?
If any update, please feel free to let me know.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Windows server firewall blocking active directory authentication?
I'm having problems with authenticating macs on our windows 2003 server domain. When windows firewall is activated, mac clients(10.4) can no longer login. I've tried opening a number of ports e.g.TCP/UDP 53. UDP 464. but no luck. Any ideas which ports are necessary for the AD plugin to work properly?
Thanks.
macpro Mac OS X (10.4.8) 1gb ramWhy are you enabling Windows firewall on a domain controller?
My recommendation is to turn it off and protect your entire site with a hardware firewall. The ports you need to open up are the very ones you should be blocking from the world to prevent attacks.
Short of that:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767 -a9166368434e&displaylang=en
User Login and Authentication
A user network logon across a firewall uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• Lightweight Directory Access Protocol (LDAP) ping (389/udp)
• Domain Name System (DNS) (53/tcp, 53/udp)
Computer Login and Authentication
A computer logon to a domain controller uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• LDAP ping (389/udp)
• DNS (53/tcp, 53/udp)
Access File Resource
File access uses SMB over IP (445/tcp, 445/udp).
Perform a DNS Lookup
To perform a DNS lookup across a firewall ports 53/tcp and 53/udp must be open. DNS is used for name resolution and supports other services such as the domain controller locator
... -
Oracle Non-Windows DB and MS Active Directory
Question:
How can one configure a Microsoft Active Directory (LDAP-compliant directory
service) with an Oracle Database when the Database resides on a unix server
without the need of the Oracle LDAP? Is it possible ? If yes, please explain.Question: I have been looking at examples of using the LDAP packages but I am not sure if the examples are explaining the ldap_base and groups for MS AD OR an example for Oracle OID.
Can you explain is this Oracle OID
GC$ldap_user VARCHAR2(256) := 'cn=orcladmin';
GC$ldap_passwd VARCHAR2(256) := 'welcome1';
GC$ldap_base VARCHAR2(256) := 'cn=my_cn,dc=my_dc,dc=fr';
Can you give an example for MS AD? -
Windows Server 2008 R2 Active Directory Report Tool
I have some computers in 2K8 R2 AD that are no longer in use in our organization. I would like to run a report to see which computers in our AD structure have reported to AD within a certain amount of time so I will know whether to delete them or not.
Is there a tool I can use specifically to see if computers in our AD domain have logged in within a certain time frame?You can use my script here: https://gallery.technet.microsoft.com/scriptcenter/Remove-Inactive-user-2caf199a
All you need to change is
(objectCategory=person)(objectClass=user)
by
(objectCategory=computer)
and add a comment at the beginning of the command Remove-ADUser.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Upgrade from Windows Server 2012 Active Directory to Windows Server 2012 R2 Active Directory
We are currently running Windows Server 2012 Active Directory and would like to upgrade to Windows Server 2012 R2 AD. Is it OK to just do an in-place upgrade, or is it advisable to build new domain controllers on R2? Are there any guides or articles anyone
can recommend?Hi Ginandtonic,
To upgrade DC(Domain Controller) from windows server 2012 to windows server 2012 r2, please refer to these articles:
Upgrade from windows Server 2012 to 2012 R2
Upgrade Active Directory from 2012 to 2012 R2
I hope this helps.
Best Regards,
Anna -
ACS 4.1 support with Windows Server 2012 Domain controller
I am upgrading my Domain Controller / Active Directory from Windows Server 2003 to Windows Server 2012.
In my environment, I am using Cisco ACS 4.1 which is integrated with Windows Server 2003 Active Directory.
Will ACS4.1 will work fine with my new domain controller (Windows server 2012) or I need to upgrade my ACS too?
Regards,
JunaidJunaid,
ACS 4.x code doesn't even support Windows 2008 R2. Your best bet is to migrate the ACS from 4.x to ACS 5.4 Patch 2 or stay with windows 2003 or 2008 (Non-R2).
ACS 5.4 patch 2 supports Windows 2012 AD.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/release/notes/acs_54_rn.html
Regards,
Jatin
**Do rate helpful posts** -
SSO using Windows Active Directory but without EP or Java stack
Good morning and thank you in advance for your help.
The question is:
our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
Best regards
MaxHi Willi,
It won't be that easy to understand each other... as my english is not that good either
Most of the points introduced in the SAP help link are automatically performed by sapinst.
Almost all my customers running on MS are not using an AV, and neither get into troubles...
but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
Best regards
SAP on SQL General Update for Customers & Partners April 2014
10. Do Not Install SAPGUI on SAP Servers
Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
To improve reliability of an operating system it is recommended to install as few software packages as possible. This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
“A server is a server, a PC is a PC”. Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure.
SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
SAP on SQL General Update for Customers & Partners September 2013
Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server.
The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
Open command prompt as an Administrator -> dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64 -
I have 3 server (Web server, database sql 2012 server and Active directory). I'm using sqlsvr version 3.0, PHP version 5.3 ,IIS version 7 and windows server 2008.
Right now my php connection to SQL 2012 using AD id, so How to handle if password on active directory change?Solved : Using Kaberos
-
Window Active Directory users cannot see home drive when logon to Macs
This problem just occurred, so that tells me either 10.4.9 has done it or a security update to Windows 2003 Server.
Looking for any tech saavy network guru to help.
Windows 2003 Server houses active directory. Users in the past were able to log on to a Macintosh computer and their home drive would appear on the desktop.
Now 'all of a sudden' any user that logs onto a Macintosh computer with an AD account does not see their home drive on the desktop.
Has anyone else had this problem? Any suggestions on how to resolve it? I haven't unbound the Mac from AD yet will try that tomorrow.
JTSFixed this...a corrupted keychain item that contained the users prior used network password was the culprit.
Once I delted the corrupted keychain, active directory users can log on a Mac and see their home directory on the desktop.
JTS
Maybe you are looking for
-
Site won't open
-
Work without popup when calling webhelp?
Is there a way to start robohelp on a certain topic, with the navigation pane(pointing to this topic) without using the javascript API (RH_ShowHelp) only by using an URL ? (with params). Also generating no popus whatsoever. The reason we need this, i
-
I'm NEW to iTUNES, PLEASE HELP!
hello- I'm new to iTunes. I'm making a playlist for a party to use on an iPod. I want to arrange the songs in the order I want them to play. From what I can see, songs in a playlist cannot be moved around to play in a certain order. This can't be cor
-
"iTuneUp.dll" for tuneup add-on for 64-bit will not load
When I load up itunes with tuneup, I get the error "iTuneup.dll" could not load in 64-bit mode. It goes on to say "Try contacting the plug-in vendor(s) to see if a 64-bit version is available. Is there a 64-bit version out there or is there something
-
SQL Dealing with multiple choice answers in a DB with no unique identifier
I am working with a Database that has forms set up with multiple select fields. As seen below, (Question_ID 2533) the Patient_ID, Visit_ID, and Question_ID are the same and there are 3 different answers that were chosen. I am trying to figure out h