Search Results

Search found 17950 results on 718 pages for 'directory listing'.

Page 90/718 | < Previous Page | 86 87 88 89 90 91 92 93 94 95 96 97  | Next Page >

  • Reboot loop after sysprep of AD machine

    - by rboarman
    Major screw-up here and I need to find out how much trouble I am in. I have an AD machine that is running Server 2008 R2, hyperv, DHCP and DNS. On the hyperv machine, I have a backup AD instance running along with a handfull of other server 2008 instances. Sysprep was run on the hyperv machine instead of one of the instances. I am attempting to bring the machine back up so I can try a system restore. When I boot the hyperv machine, I get an error that says “Windows could not complete the installation. To install windows on this computer , restart the installation” This message occurs in safe mode, AD restore mode and in last known configuration mode. How can I get my OS to boot at this point? Do I need to reinstall 2008 R2 from scratch?

    Read the article

  • Winbind group lookup painfully slow

    - by Marty
    I am running winbind on an RHEL 6 system. Everything works fine except group lookups, so many commands (including sudo) are painfully slow. I did an strace which shows that winbind looks up every group and every user within each group for the current user. Some of these groups have 20000+ users so a simple sudo can take 60 seconds to complete. I really only care about speeding up the sudo command. Ideal solutions would make it so either: groups with more than X number of users will not be looked up, or sudo bypasses group lookups altogether. Here is my current "smb.conf" for winbind: workgroup = EXAMPLE password server = AD1.EXAMPLE.ORG realm = EXAMPLE.ORG security = ads idmap uid = 10000-19999 idmap gid = 10000-19999 idmap config EXAMPLE:backend = rid idmap config EXAMPLE:range = 10000000-19999999 winbind enum users = no winbind enum groups = no winbind separator = + template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes winbind offline logon = false

    Read the article

  • Unable to resolve FQDN, hostname works

    - by HannesFostie
    We are having an issue where computers who are not part of the domain cannot resolve the FQDN of a server (but regular hostname and ip do resolve). The strange thing is that this does work when the computer is added to the network. Our domain name is rather long, its something along the lines of "team.dept.company.com", could that be it? DHCP server passes along the proper DNS, Name and WINS servers, as well as the domain name. I thought that should've solved the problem, but apparently not really. Our domain is still windows2003 EDIT: I am starting to believe I can narrow this down to a problem either with the vmware tools NIC drivers that are embedded in my winPE boot image, or to the fact that I'm trying to do this from inside a VM. Pinging a FQDN at the same time when using a different task sequence on a physical machine works.

    Read the article

  • How do i remove a password expiration policy?

    - by jimmygee
    We had a password expiration policy recently removed from our AD but some users continued to get the "..your password will expire in x days. would you like to change it now?" message. So we added a reverse/undo policy to correct the local registry settings Maximum password age = 0 days Minimum password age = 0 days This hasn't worked as new users still seem to encounter the above "change password" message sporadically. We have now removed all custom password policy GPOs and are left with the "Default Domain Policy". Still no good. Can someone point me in the direction to fix this? And an explanation into what i was doing wrong (/how password expiration policies apply) would be useful too. thanks Environment is 2k3 server with mostly XPsp2 clients.

    Read the article

  • passwd ldap request to ActiveDirectory fails on half of 2500 users

    - by groovehunter
    We just setup ActiveDirectory in my company and imported all linux users and groups. On the linux client: (configured to ask ldap in nsswitch.conf): If i do a common ldapsearch to the AD ldap server i get the complete number of about 2580 users. But if i do this it only gets a part of all users, 1221 in number: getent passwd | wc -l Running it with strace shows kind of attempt to reconnect My ideas were: Does the linux authentication procedure run ldapsearch with a parameter incompatible to AD ldap ? Or probably it is a encoding issue. The windows user are entered in AD with all kind of characters. Maybe someone could shed light on this and give a hint how to debug that further!? Here's our ldap.conf host audc01.mycompany.de audc03.mycompany.de base ou=location,dc=mycompany,dc=de ldap_version 3 binddn cn=manager,ou=location,dc=mycompany,dc=de bindpw Password timelimit 120 idle_timelimit 3600 nss_base_passwd cn=users,cn=import,ou=location,dc=mycompany,dc=de?sub nss_base_group ou=location,dc=mycompany,dc=de?sub # RFC 2307 (AD) mappings nss_map_objectclass posixAccount User # nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group nss_map_attribute uid sAMAccountName nss_map_attribute cn sAMAccountName # Display Name nss_map_attribute gecos cn ## nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute loginShell msSFU30LoginShell # PAM attributes pam_login_attribute sAMAccountName # Location based login pam_groupdn CN=Location-AU-Login,OU=au,OU=Location,DC=mycompany,DC=de pam_member_attribute msSFU30PosixMember ## pam_lookup_policy yes pam_filter objectclass=User nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,statd,sync,sys,syslog,usbmux,uucp,www-data and here the stacktrace from strace getent passwd poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 120000) = 1 ([{fd=4, revents=POLLIN}]) read(4, "0\204\0\0\0A\2\1", 8) = 8 read(4, "\4e\204\0\0\0\7\n\1\0\4\0\4\0\240\204\0\0\0+0\204\0\0\0%\4\0261.2."..., 63) = 63 stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=1151, ...}) = 0 geteuid32() = 12560 getsockname(4, {sa_family=AF_INET, sin_port=htons(60334), sin_addr=inet_addr("10.1.35.51")}, [16]) = 0 getpeername(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("10.1.5.81")}, [16]) = 0 time(NULL) = 1297684722 rt_sigaction(SIGPIPE, {SIG_DFL, [], 0}, NULL, 8) = 0 munmap(0xb7617000, 1721) = 0 close(3) = 0 rt_sigaction(SIGPIPE, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGPIPE, {SIG_DFL, [], 0}, NULL, 8) = 0 rt_sigaction(SIGPIPE, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0 write(4, "0\5\2\1\5B\0", 7) = 7 shutdown(4, 2 /* send and receive */) = 0 close(4) = 0 shutdown(-1, 2 /* send and receive */) = -1 EBADF (Bad file descriptor) close(-1) = -1 EBADF (Bad file descriptor) exit_group(0) = ?

    Read the article

  • Is there a way to add AD LDS users to an AD Domain Group or allow them domain security rights?

    - by Tom
    I have a web application in which our outside customers need access to run transactions (stored procs on Sql Server) on our domain. We have looked into LDS to keep these users separate from our domain. The problem we are having is allowing the LDS users the AD security rights to access these stored procs. For administration purposes we would like to use an AD group for each transaction (stored proc) which has access to execute. Is there a way to add LDS users to this AD group or allow them the security rights to do this? We have setup LDS and can authenicate an AD user thru to runs these transactions. LDS is running on Server 08 R2. AD is also Server 08 R2. Thanks.

    Read the article

  • Server 2008 print server down / access denied

    - by johnnyb10
    I have two Server 2008 servers (both running as VMs in VMware). One is a Full Installation, and the other is a Server Core installation. I just installed Print Services on both of them. In Print Management on the Full server, I added the Server Core print server (so now two print servers are listed in Print Management). However, the icon for my Server Core print server has a red, down-pointing arrow (indicating that it is down, I suppose). And when I right-click it and click Add Printer, I get a message saying that access is denied. Can someone tell me how to bring up or check on the status of the Server Core print server. Obviously, I'm somewhat of a noob with this stuff. Thanks in advance...

    Read the article

  • FreeNAS and AD authentication on Windows 2008 R2

    - by FrancisV
    Has anyone successfully used AD authentication using the latest version of FreeNAS with Windows 2008 R2 domain controllers? I wanted to use FreeNAS to host files and share them via CIFS but I couldn't make FreeNAS authenticate with a Windows 2008 R2 domain controller. Ultimately, the new CIFS shares will be referenced in the DFS namespace that we already have running on Windows 2008 R2 servers. Any tip you can share with me?

    Read the article

  • Windows Authentication behaves oddly when VPN'd

    - by Dan F
    Hi all We've got a few apps that rely on windows authentication - a couple of web apps with AD auth turned on and we usually connect to our SQL servers with windows auth. This normally runs without a hitch. It doesn't work so well if we're VPN'd to a client site though. SSMS Opening SSMS normally from the start menu, then picking a server that normally accepts windows auth, results in a message saying: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. (.Net SqlClient Data Provider) If I drop to a command prompt and use runas /user:domain\user to launch SSMS I can successfully windows auth to our SQL server instances with that ssms process. If I look in task manager, both copies of ssms.exe (start menu vs runas) have the same user, and I can see no discernible differences between the processes in procexp. AD Auth websites If I open IE and browse to any of our websites that require an authenticated windows user, I get the "who are you" prompt, and that dialog thinks I'm whoever the VPN user is. I can click "Use another account" and authenticate that way though. Outlook Even Outlook prompts for a username when we are VPN'd! It's affecting our Win7 and Vista machines. It's been a while since we had an XP box, but I don't recall having this issue on XP for what it's worth. The VPN connections are just using the built in windows VPN connections, they're not fancy cisco VPNs or anything of that nature. Does anyone know how to tell windows that I'd like to be my normal old primary domain user rather than the VPN user when authenticating to resources in our domain? Heck, I'd be happy with a solution that prompted me with the "who are you" if I was trying to access windows auth requiring resources on the client's VPN. Thanks! Apologies if this is more a superuser question, I wasn't sure which site it best suited. It's about networking and infrastructure and plagues all of our developers here, so I hope it's a serverfault Q.

    Read the article

  • Deleted, then added user w/ same name, now logs on w/ temp profile

    - by labyrinth
    I am a new admin at a high school lab and am trying to spearhead separation of normal IT accounts from IT admin accounts. I made my normal account (e.g. ITuser) and an admin account (e.g. ITuser-adm) on the server (Win Server 2008 R2). I used both accounts on my my main desktop for about a day, but decided I hadn't set up the admin account correctly. I deleted the my admin account, then made a new one with the same name. The problem is that on my main desktop (Windows 7 Pro), whenever I log in with my admin account, it gives the following errors: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on. (Error 1515) Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. (Error 1511) This is more of a nuisance than anything for me, I just thought I could use the same name for a user account I'd just deleted since they would have separate SSIDs anyway. If it's less trouble, I could just make a new admin account. Or I could just keep using it as is since I don't need to be saving anything locally anyway and the typical folder redirects work fine. I'm just curious and want to understand what's going on. There are no errors listed regarding the registry.

    Read the article

  • SQL 2005 AD Group permission levels

    - by jj.
    I'm trying to give permissions to a (sql 2005) database app based on AD groups. The general idea is to require a user to have a membership to "app_users" to view anything, and membership to other groups gives them write access to that group. "app_customers" gives write access to the customers module, "app_sales" to sales, etc. I've listed an example below: user1: AD member of app_users user2: AD member of app_users, app_customers For dbo.customers table: app_users - Granted: Select permission - Denied: Insert, Update, Delete app_customers - Granted: Select permission - Granted: Insert, Update, Delete I would expect user1 to be able to view the dbo.customers table, but will not be allowed to modify anything (insert/update/delete) - which works. In the same vein, I would expect user2 to be able to view AND modify the dbo.customers table, since they are a member of app_customers. However, this is not the case. Instead, user2 is denied any modifications just like user1. I seem to remember something about deny permissions winning if there was a conflict, but it's honestly been too long since I've dealt with them. Am I going about this the right way? Thanks for your time!

    Read the article

  • Cannot Change "Log on through Terminal Services" in Local Security Policy XP from Server 2008 GP

    - by Campo
    This is a mixed AD environment, Server 2003 R2 and 2008 R2 I have a 2003 AD R2 and a 2008 R2 AD. GPO is usually managed from the 2008 R2 machine. I have a RD Gateway on another server as well. I setup the CAP and RAP to allow a normal user to log on to the departments workstation. I also adjusted the GPO for that OU to allow Log on trhough Remote Desktop Gateway for the user group. This worked on my windows 7 workstation. But unfortunately the policy is a different name in XP "allow log on through Terminal Services" I can get through right into the machine but when the log on actually happens to the local machine i get the "Cannot log on interactively" error. This is set in (for the local machine) Secpol.msc Local Security Policy "user rights assignment" but is controlled by the GPO in Computer Configuration Policies Security Settings Local Policies "User Rights Assignment" Do I simply need to adjust the same setting on the same GPO but with a server 2003 GP editor? Feel like that could cause issues... Looking for some direction. Or if anyone has run into this issue yet. UPDATE Should this work? support.microsoft.com/kb/186529 Still seems like I will have the issue as the actual GP settings for Log on through Terminal Services is still different between Server 2008 R2 and 2003 R2.... Another Thought: Should I delete the GPO made for the department and remake it with the 2003 R2 server? I have no 2008 specific settings as the whole department runs XP other than myself. If that's a solution I will move my computer out of the department as a solution... Thoughts?

    Read the article

  • How to reduce timeout for bad password on disconnected laptop?

    - by Elroy Flynn
    I use a Windows 7 laptop computer. When not attached to my AD domain, if I enter an incorrect password, I have to wait approximately a full minute before the failure response comes back. When attached to the domain, the response is instant. I think that what's happening is that is that when my entry fails against the cached pw, Windows tries to reach the domain controller and the timeout for that operation is about 60s. Is there a registry entry that controls the timeout? I'd love to reduce it.

    Read the article

  • RPCSS kerberos issues on imaged Windows workstations

    - by sysadmin1138
    While doing some unrelated troubleshooting I came across a set of Event Log entries that have me concerned. Machine Name: labcomputer82 Source: Security-Kerberos Event ID: 4 Event Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server labcomputer143$. The target name used was RPCSS/imagemaster4.ad.domain.edu. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (AD.DOMAIN.EDU) is different from the client domain (AD.DOMAIN.EDU), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. There are three machine names used in this message. It's generated on labcomputer82, it's attempting to talk to another lab workstation called labcomputer143, and the service in question (RPCSS) refers to the name of the machine that this machine was imaged from (and possibly also that of labcomputer143, I'm not sure). The thing that has me raising both eyebrows is that the machine named labcomputer82 is attempting to use an SPN of RPCSS/imagemaster4.ad.domain.edu. The SPN attribute on the computer object in AD looks just fine. It has all the names it should have. Of the over 3,000 computer objects in our AD domain, somewhere around 1,700 of the are computer-lab seats that are frequently imaged. If we're doing something wrong, I'd like to know in time to get our procedures modified (and people retrained) for fall quarter. But if this is normal for imaged machines, I'll just continue ignoring these.

    Read the article

  • Migrating 2008 AD to Windows SBS 2011 and Forefront TMG 2010

    - by Tong Wang
    Our company has two physical servers: a Dell R710 with 4 NIC and a Dell R410 with 2 NIC. Right now, we have Windows server 2008 R2 installed on R710 with AD setup to host our domain. I am thinking to install both SBS 2011 and TMG 2010 on the other R410 running on Hyper-V. As I am fairly new to Windows Server technology, I'd like to check with you fellow Windows admins and see what is the proper way to install SBS 2011 and TMG 2010 and how to migrate the 2008 AD. Your advice and help will be highly appreciated.

    Read the article

  • Can not join additional domain controllers

    - by Hosm
    Hi all, I had a dead PDC and another not so synced domain controller for my domain. using comments here link now the so called secondary domain controller has seized domain controls and I can verify it from dsa.msc that it is a domain controller. I set up another domain controller (win2003SRV) and about to promote an AD on it as a domain controller for my domain. When I try to join the new domain controller to the domain I face DNS problem. here is some more detail DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain DOMNAME.A.B: The query was for the SRV record for _ldap._tcp.dc._msdcs.DOMNAME.A.B The following domain controllers were identified by the query: update.DOMNAME.A.B Common causes of this error include: - Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses. - Domain controllers registered in DNS are not connected to the network or are not running. For information about correcting this problem, click Help. it is worth noting that update.DOMNAME.A.B is the current domain controller to which I'd like to add another controller named PDC.DOMNAME.A.B Ip address of update.DOMNAME.A.B is 192.168.200.1 and for pdc.DOMNAME.A.B is 192.168.200.100 querying DNS on both machine return correct results. Any idea?

    Read the article

  • IE Kerberos failure on some machines with CNAME web server (with SPN for host's A record)

    - by Eric Thames
    It's fairly well known that IE doesn't like to do Kerberos against hosts that are registered in DNS as CNAMEs. What happens is that IE turns around and uses the underlying A record for the host for looking up the Service Principal Name (SPN). On a test network we are able to get Kerberos working by having the SPN registered for the A record of the host, so that Kerberos authentication happens successfully when accessing the web server via it's CNAME in the browser. Kerberos authentication works properly when directly accessing the web server with the A record host in the URL, but for various reasons that are beyond my control, it is desired to use the CNAME. On the production network, this same configuration fails though and I can't figure out why. Any thoughts? This is a java web application using the SPNEGO library - not IIS. Kerberos authentication is working properly in both the test and production networks (and has been confirmed to not fail back to NTLM), but the CNAME access only works in test.

    Read the article

  • What's the risk of running a Domain Controller so that it is accessible from the internet?

    - by Adrian Grigore
    I have three remote dedicated web servers at different webhosts. Adding them to a common domain would make a lot of administration tasks much easier. Since two of the servers are running Windows 2008 R2 Standard, I thought about promoting them to Domain Controllers in order to set up the windows domain. There's another thread at Serverfault that recommends this. At the same time I've read a lot of times on different websites that this is not a good idea because an domain controller should always be behind a firewall LAN. But I can't set up something like this because I don't have a LAN with a static IP accessible from the internet. In fact I don't even have a windows server in my LAN. What I have not found out is why exposing a DC to the Internet would be bad idea. The only risk I can see is that if someone penetrates one of my webservers, it should be much easier to penetrate the others as well. But as far as I can see that's the worst case scenario since I am only going my web servers to that domain, not any computers from my local network. Is this the only downside or does it also make it easier to penetrate one of my web servers in the first place? Thanks, Adrian

    Read the article

  • Managing access to multiple linux system

    - by Swartz
    A searched for answers but have found nothing on here... Long story short: a non-profit organization is in dire need of modernizing its infrastructure. First thing is to find an alternatives to managing user accounts on a number of Linux hosts. We have 12 servers (both physical and virtual) and about 50 workstations. We have 500 potential users for these systems. The individual who built and maintained the systems over the years has retired. He wrote his own scripts to manage it all. It still works. No complaints there. However, a lot of the stuff is very manual and error-prone. Code is messy and after updates often needs to be tweaked. Worst part is there is little to no docs written. There are just a few ReadMe's and random notes which may or may not be relevant anymore. So maintenance has become a difficult task. Currently accounts are managed via /etc/passwd on each system. Updates are distributed via cron scripts to correct systems as accounts are added on the "main" server. Some users have to have access to all systems (like a sysadmin account), others need access to shared servers, while others may need access to workstations or only a subset of those. Is there a tool that can help us manage accounts that meets the following requirements? Preferably open source (i.e. free as budget is VERY limited) mainstream (i.e. maintained) preferably has LDAP integration or could be made to interface with LDAP or AD service for user authentication (will be needed in the near future to integrate accounts with other offices) user management (adding, expiring, removing, lockout, etc) allows to manage what systems (or group of systems) each user has access to - not all users are allowed on all systems support for user accounts that could have different homedirs and mounts available depending on what system they are logged into. For example sysadmin logged into "main" server has main://home/sysadmin/ as homedir and has all shared mounts sysadmin logged into staff workstations would have nas://user/s/sysadmin as homedir(different from above) and potentially limited set of mounts, a logged in client would have his/her homedir at different location and no shared mounts. If there is an easy management interface that would be awesome. And if this tool is cross-platform (Linux / MacOS / *nix), that will be a miracle! I have searched the web and so have found nothing suitable. We are open to any suggestions. Thank you. EDIT: This question has been incorrectly marked as a duplicate. The linked to answer only talks about having same homedirs on all systems, whereas we need to have different homedirs based on what system user is currently logged into(MULTIPLE homedirs). Also access needs to be granted only to some machinees not the whole lot. Mods, please understand the full extent of the problem instead of merely marking it as duplicate for points...

    Read the article

  • What are the best practices for service accounts?

    - by LockeCJ
    We're running several services in our company using a shared domain account. Unfortunately, the credentials for this account are widely distributed and being used frequently for both service and non-service purposes. This has led to a situation where it is possible that the services will be temporarily down due to this shared account being locked. Obviously, this situation needs to change. The plan is to change the services to run under a new account, but I don't think this goes far enough, as that account is subject to the same locking policy. My questions is this: Should we be setting up the service accounts differently than other domain accounts, and if we do, how do we manage those accounts. Please keep in mind that we are running a 2003 domain, and upgrading the domain controller is not a viable solution in the near term.

    Read the article

  • Data loss through permissions change?

    - by charliehorse55
    I seem to have deleted some files on my media drive, simply by changing the permissions. The Story I have many operating systems installed on my computer, and constantly switch between them. I bought a 1TB HD and formatted it as HFS+ (not journaled). It worked well between OSX and all of my linux installations while having much better metadata support than NTFS. I never synced the UIDs for my operating systems so the permissions were always doing funny things. Yesterday I tried to fix the permissions by first changing the UIDs of the other operating systems to match OSX, and then changing the file ownership of all files on the drive to match OSX. About 50% of the files on the drive were originally owned by OSX, the other half were owned by the various linux installations. I started to try and change the file permissions for the folders, and that's when it went south. The Commands These commands were run recursively on the one section of the drive. sudo chflags nouchg sudo chflags -N sudo chown myusername sudo chmod 666 sudo chgrp staff The Bad Sometime during the execution of these commands, all of the files belonging to OSX were deleted. If a folder had linux based files it would remain intact but any folder containing exclusively OSX files was erased. If a folder containing linux files also contained a subfolder with only OSX files, the sub folder would remain but is inaccesible and displays a file size of 0 bytes. Luckily these commands were only run on the videos folder, I also have a music folder with the same issue but I did not execute any of these commands on it. Effectively I have examples of the file permissions for all 3 states - the linux files before and after, and the OSX files before. OSX File Before -rw-r--r--@ 1 charliehorse 1000 3634241 15 Nov 2008 /path/to/file com.apple.FinderInfo 32 Linux File before: -rw-r--r--@ 1 charliehorse 1000 5321776 20 Sep 2002 /path/to/file/ com.apple.FinderInfo 32 Linux File After (Read only): (Different file, but I believe the same permissions originally) -rw-rw-rw-@ 1 charliehorse staff 366982610 17 Jun 2008 /path/to/file com.apple.FinderInfo 32 These files still exist so if there are any other commands to run on them to determine what has happened here, I can do that. EDIT Running ls on one of the "empty" deleted OSX folders yields this: ls: .: Permission denied ls: ..: Permission denied ls: subdirA: Permission denied ls: subdirB: Permission denied ls: subdirC: Permission denied ls: subdirD: Permission denied I believe my files might still be there, but the permissions are screwed.

    Read the article

  • Add server 2008 to 2003 domain schema upgrade failed

    - by Ken
    I'm trying to add a server 2008 r2 server to an existing 2003 domain (upgraded to 2003 functionality). I've followed the steps from microsoft which are clarified by this post: 2003 DC AD upgrade to 2008 on second server migration plan While running adprep /forestprep I lost my connection and wasn't able to resume or remote control that session, so I couldn't see the end result of the command. Rerunning adprep /forestprep indicates that the process has already been completed successfully. After finishing the rest of the steps (/domainprep ... and /gpprep, etc), the 2008 server won't join. The error message is the same "you need to run forestprep first" So the situation I'm in is that I can't rerun /forestprep, but my Registry key still reads schemaVer=30. Should I have staged forest upgrades? Any ideas how to get my schema ver to 44 at this point?

    Read the article

  • Multi-Role Domain Controllers for Small Offices (< 50 clients)

    - by kce
    Warning: I'm a Linux/*NIX admin so this is all new to me. I understand that it's not considered a good idea to have only a single domain controller, and that it is also probably a good idea for a domain controller to only do AD/DHCP/DNS (Here). We have two offices, location A with 30 users and location B with 10 users. Our two offices are separated by a WAN that is not particularly robust so I have be instructed that we need to have standalone services in each office. This means that according to "best practices" we will need to build a domain controller and a separate file server in each office. Again, I am not knowledgeable in the ways of Windows but this seems a little unnecessary for an organization of 40 users. People have commented that I could "get away with" running file services on the domain controller as long as the "load is light". That just seems to generate more questions than it answers. What constitutes light load? What are the potential consequences of mixing these roles? Ideally I would prefer to only have one physical machine at each location. The one in location A (the location with IT staff) can act as the primary domain controller and the one in the smaller office can act as the backup domain controller. If either domain controller fails we can still use the other one for authentication (albeit with some latency) and if the WAN connection fails each office still has access to their respective "local" domain controller. If the file services are ALSO run on each server (and synchronized with something like DFS), a similar arrangement in terms of redundancy can be had without having to purchase, build and install two additional separate servers. It's not that I'm adverse to that (well, any more adverse than I am to whole thing to begin with) but to my simple mind it just seems, well a bit overkill. I can definitely see the benefits of functional separation when we're talking larger organizations, but I need to consider the additional overhead too. None of this excludes having a DRP setup for the domain controller/s. I assume you can lose two domain controllers just as easily as one.

    Read the article

  • netlogon errors

    - by rorr
    I have two instances of mssql 2005 and am using CA XOSoft replication. The master is a failover cluster and the replica is a standalone server. They are all running Server 2003 sp2 x64. Same patch levels on all servers. This setup has worked great for several months until we recently restricted the RPC ports on both nodes of the master(5000 - 6000 using rpccfg.exe). We have to implement egress filtering, thus the limiting of the ports. We began receiving login errors for sql windows authentication and NETLOGON Event ID: 5719: This computer was not able to set up a secure session with a domain controller in domain due to the following: Not enough storage is available to process this command. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. We also see group policies failing to update and cluster file shares go offline at the same time. The RPC ports were set back to default when we started seeing these problems and the servers rebooted, but the problems persist. The domain controllers are not showing any errors. Running dcdiag and netdiag shows everything is fine. We have noticed that the XOSoft service ws_rep.exe is using a lot of handles(8 - 9k), about the same number that sqlserver is using. As soon as xosoft replication is stopped the login errors cease and everything functions correctly. I have opened a ticket with CA for XOSoft, but I'm not sure that the problem is actually xosoft, but that it is the one bringing the problem to light. I'm looking for tips on debugging RPC problems. Specifically on limiting the ports and then reverting the changes.

    Read the article

< Previous Page | 86 87 88 89 90 91 92 93 94 95 96 97  | Next Page >