Grant Replicate Directory Changes Permission on a domain

Posted by netoverme on May 10, 2013

In order to ask replicate directory changes permission to a domain controller, it does not have to be a domain admin. by delegation, we can create this.

why do we do this?

like say, user wants to update their information from SharePoint by themselve, we can allow the information that store in SharePoint database and replicate to the Active Directory. Some also need to be done as well in SharePoint Administration.

How to Grant Replicate Directory Changes?

At your domain controller, open up the Active Directory Users and Computers.
Right-click the domain. for example, netoverme.local ans select Delegate Control
Click Next on the Delegation Control Wizard.
On Users and Groups windows, click Add.
type a name of synchronization account. For example, sp_admin .click Next
on task to delegate, select create a custom to delegate and click next.
on the Active Directory Objext Type, Select This Folder,existing objects in this folder, and creation of new objects in this folder, and click Next.
on the Permission pages, select Replicating Directory Changes.
click Next and Finish.

Fine Grained Password Policy in Windows Server 2012

Posted by netoverme on February 25, 2013

In Windows Server 2012 standard edition, it is really accommodate to configure the fine grained password policy just using the Active Directory Administrative Center.

1. Run the “dsac” or go to administrative tools.

2. On the Graphical Interface, on the left pane, click the tree view, and Expand the tree.

3. Go to System under your domain. In my case, I expand “netoverme” and go to System container.

4. Click on the Password Setting Container.

5. Right-click the Password Setting Container, and choose New and select Password Setting

6. on the figure below, you will be prompted on different setting such as Password Complexity, Minimum Password Age, etc.

7. After finish password settings, you will need to link or apply the users or groups you intend to use this password setting such as IT Admin. On Direcly Applies To, click Add button and type user or group that you need to set.

Failure to Add Child Domain Controller?

Posted by netoverme on January 29, 2013

I have a problem with adding another child domain controller for my lab. In my scenario, my other child domain controller is also online and one of the parent domain controller is also online.

What other finding I have to make sure is that the DNS is pointed to the child domain controller.

Also, I have checked the debug log in C:\Windows\Debug\Dcpromoui.log. It seems that the error is appeared similar on the error above.

In the error above, when we further look, it successfully queries the SRV record of testbranch.netoverme.local.

My solution is by checking the Domain Naming Master role has be to online and contacted. Domain Naming FSMO role is responsible to add and also remove domain. In my case, I have 2 parent domain controller (dc1.netoverme.local and dc2.netoverme.local) and my child domain controller is testbranch.netoverme.local. my scenario above is to add another domain controller to child domain controller of testbranch.netoverme.local.

After I can ping dc1.netoverme.local which hold the FSMO role of Domain Naming Role and make sure the port and firewall is not blocking, now the domain controller can successfully add. One more thing FSMO role has to be contacted or online, DNS delegation has to be done for adding all DNS record in the parent domain.

Error AD Replication: (8456) The source server is currently rejecting replication requests Part 2

Posted by netoverme on December 5, 2012

I just want to continue on how to do possible solution on previous post below

http://netoverme.wordpress.com/2012/11/26/error-ad-replication-8456-the-source-server-is-currently-rejecting-replication-requests/

another way is to restore the system state backup from recent backup.

How?

1. reboot the server and log in in DSRM mode.

2. Use command prompt to restore the previous backup.

run the command

“wbadmin start systemstaterecovery -version:your recent backup version”

let the backup finished until the screen below.

it will ask the server to restart. press Y to proceed.

3. then, verify the successful replication.

Error AD Replication: (8456) The source server is currently rejecting replication requests

Posted by netoverme on November 26, 2012

It comes to my attention to share some of AD replication error that might be available or faced in your organization. I always run this replication summary, “Repadmin /Replsummary” and gets the output below:

The error above is (8456) The source server is currently rejecting replication requests.

when I go to the URL link http://support.microsoft.com/kb/2023007, there are helpful for me to troubleshoot.

I have followed some steps to troubleshoot and solution:

1. I have checked the possible cause of this. I checked the registry to check the status on “DSA not Writable”. Run Regedit.

Go to the HKLM -> System -> CurrentControlSet -> Services -> NTDS -> Paramaters.

On Setting DSA Not Writable. Check the value and I capture the screenshot below:

The DSA Not Writable is set to 4. When checking on the table of link http://support.microsoft.com/kb/2023007, it shows and means that USN Rollback occurred.

The active directory was incorrectly roll back due to cause following below:

- snapshot of Virtual Machine was taken or was saved on previous snapshot.

- Restoring DC on using Imaging such as Norton Ghost.

2. I also checked the Event Viewer on Directory Service. The Event ID 1308 shows the failure of the replication.

3. I have no choice to decommission the affected domain controller by using DCPROMO /ForceRemoval.

4. After I successfully forced removal of the affected domain controller, I then use the Metadata cleanup to remove the domain controller. Check the url link – > http://netoverme.wordpress.com/2011/06/03/metadata-cleanup-in-windows-2003/

5. After that, remove the server record in DNS, Active Directory Site and Services.

6. On the affected server (previous affected domain controller), I then promote back to become a domain controller to have multiple domain controller.

I will update more on any kind of possible solution.

Thank you.

RID Pool Depletion

Posted by netoverme on October 16, 2012

I have this type of warning below:

Why the warning appeared when creating user by using Active Directory Users and Computers.?

The warning is appeared because they are running of identifier pool where RID block size contains up to 500. by default, each domain is allocated 500 RIDs. when it comes to 500, the DC try to contact FSMO DC to request another 500 RIDs.

you would also see the warning on Event Viewer. Please take note the Event ID 16645

No UPN is listed in Exchange 2010 after promote Child Domain

Posted by netoverme on September 7, 2012

Here I am covering this topic while doing all everything such Exchange and Active Directory.

In my scenario, there is a parent domain called netoverme.info and the exchange server is installed under this domain. Then the organization is adding the child domain controller such as Management and its domain is management.netoverme.info. A Management’s domain controller is located in the site office and they just wanted to use the exchange server that was already had in parent domain netoverme.info.

When the administrator tried to create mailbox for new users that was sitting in child domain of management.netoverme.info, they encountered the problem. the UPN is not appeared as figure below:

what is the solution?

Solution:

Here is the thing, we need to update the domain using the Exchange Server Installation Media and run “the setup /preparealldomains” in the exchange.

For example figure below. Make sure the preparations are fully completed.

After it is completed. Then try open the console and create mailbox for using that sitting under the finance.netoverme.info.

NetOverMe's Blog

by Aliyani Sabrey