Forum Replies Created
You should not have two Enterprise CAs. The solution is decommission the old CA, and only use the new CA and re-enrol any new certificates that had used the old CA. You can use GPOs to ensure all required servers are enrolling from the new CA and you can also push out the new CA root certificate to computers and servers.
Existing certificates will continue to work but will not be able to verify CRL (certificate revocation list) or issue new certificates from the old CA. REplacing the old certificates shouldn’t take long. Templates can be exported and imported to the new CA.June 1, 2018 at 7:04 am in reply to: Primary DC Failed, Having Issues w/ Secondary DC Taking Ownership of Roles #312783
1. Run DCdiag on the primary server
2. Open DNS manager and make sure the the NS (name server) and SRV records are present for ADDS to work:
3. Run NetDom Query Fsmo to ensure all the roles are on the live DC.
4. Run Net Share to ensure SYSLOG and NETLOGON are mounted.October 1, 2017 at 9:22 am in reply to: Exchange Mailbox Database is Expanding (Alarmingly) #312782
I found that users using mobile devices with wrong sync time ranges can cause a large amount of transaction log generation. Usersought to only sync the last 3 days work, not a week or certainly not unlimited. A tool such as Exchange User Monitor will help: https://technet.microsoft.com/en-us/library/bb508855(v=exchg.65).aspx.
Moving the transaction logs on their own disks will help a lot.
Which version of CIFS or SMB does it work on?
You can check / change SMB configuration using Powershell – https://www.petri.com/configure-smb-security-windows-server-2012.
Re: Single Label domain
To use short names, you need to have a WINS (Windows Internet Naming Service) installed which allows use of NetBIOS names on Windows. Then you can use names like DSI. Also, Windows 7 and later now use the full FQDN mostly.
Re: Web Security Software [Free]?
Personally, I would change to Ubuntu Server and install Squid Proxy for what you need to do for free.
Re: Moving from 2000 DC to 2003 DC
You need to update the forest functional level which is done in the AD Domains and Trusts console which is a seperate step from the domain functional level update.
Re: Fresh install 2013 CU2 fails to mount database
You can check the AD Permissions for a database using Get-ADPermission, Add-ADPermission for objects in Exchange including Databases. You can also use ADSIEdit.msc to view permissions in the Configuration partition of AD.December 24, 2013 at 10:32 am in reply to: What will be best way to migrate 2003 sbs domain into 2012 standard domain #312772
Re: What will be best way to migrate 2003 sbs domain into 2012 standard domain
Have you tried adding the 2012 server to the SBS domain and then make it a DC?
Then you can transfer everything across easily.
It doesn’t affect the SBS limitations as the 2012 server will not be a different domain, a parent domain not a child domain, just the same domain.
Since the 2012 server is not a SBS server, it will not have the limitations of the original SBS server.December 9, 2013 at 4:09 pm in reply to: New server added for redundancy and spam is now coming through. #312771
Re: New server added for redundancy and spam is now coming through.
What role did you install on second server?
If it is an Edge Transport server, then you need to remove and re-add a new subscription to pick up the new server.
Also if you have rules set up and spam settings you need to configure them again for the new server, as they are not automatically copied to every server.
Re: Windows server 2012 standard – Anti Virus
You can install Microsoft Forefront Protection which should be available for installing on Servers. Although these are discontinued.
ClamAV is no good as it does not do On Access protection.
TRy third party products such as McAfee, Symantec, Kaspersky etc
Re: AD DC redundancy
What about the 5 FSMO roles? Are they moved to the active DCs?
Roles: PDC, Infrastructure master, rid master, schema master, Domain naming master!
For DNS working, you should have it installed on all the DCs and make sure that all of them are added as DNS servers in DHCP scope options so PCs pick them up.March 10, 2013 at 5:36 pm in reply to: Default Web Server Cert is valid only for 2 years. Can it be extended by default? #312766
Re: Default Web Server Cert is valid only for 2 years. Can it be extended by default
Yes, you can all you need to do is load the Certificate Templates console, select the Web Server template and select Duplicate (if you already have a duplicate, you can change the Validity period), then give it a new name and set the Validity period for longer e.g. 6 years.
Re: When GPO’s don’t work…do you….?
To deploy software, you would normally use MSI packages to deploy software to the computers (NOT to users, as it would only appear in Add/Remove Programs ready to install).
The MSI should install ok without any input from users. Not all MSIs are GPO friendly and may requirement developing a deployable MSI from the install files using thirty party tools.
The second method is to run the installation via the Startup script via GPO. Just point to a installation file or script to install the program.
Re: adding a 2008R2 DNS server to a 2003 Domain
What type of DNS service is on the 2003 domain? Is a Domain Integrated DNS, a Primary or a Secondary or a stub (cached) DNS?
If its a Domain Integrated, then the 2008 R2 server will have to be Domain Controller so that the DNS zone data can be replicated to the new server.
If the 2003 server is a Parimary DNS server then you need to configrre zone transfer to replicate the data to the Secondary DNS server on the 2008 R2 server.
Re: rebuild Default Web Site
I had a similar problem with a web site on a server.
1. Open IIS Manager
2. Select Web Page tab
3. Change IP address to All unassigned
4. If the web site also has 443 (SSL) configured, click on Advanced tab and make sure IP addresses for 443 is also set to All Unassigned
5. Stop/start default web site or www service.June 27, 2012 at 12:17 pm in reply to: Can I write script to configure group policy in Windows7 #312762
Re: Can I write script to configure group policy in Windows7
The RSAT tools with Windows 2008 R2 and 7 provide some scripting functionality:
Re: Windows 2008 AD Parent / child Won’t sync
A child domain is a completely new domain in its own right, so I would expect it would be empty to start with.
If you want another DC with the same users and groups as the parent domain then you would add that DC to the parent domain and it would replicate all the users and groups etc to the new DC. This does not happen for child domains.
A child domain has its own name space, will have its own DNS zone and have its own users and groups but will be fully trusted with its parent domain (transitive trust).
Re: after upgrade , problem with DNS and Ad
Sounds like problems with DNS and its getting itself confused.
1. Open Network adapter and make sure its properties are set correctly and make sure that its own address is in the DNS list.
2. Open cmd prompt and run IPCONFIG /RegisterDNS to re-register itself in DNS
3. Open DNS Mgmt console and check everything:
a) Make sure that the Host (A) address and reversable addresses and names are correct.
b) At the root make sure that its own address is correct and names match and
c) Check all SRV records are correct.
d) Run the SETSPN on its account to fix any SPN errors.
Re: Resource Kit Tools and Support Tools
Only a small number of old tools from the Win 2003 rk work on 2008, Replmon will work on 2008. Some are included with 2008.
For more tools, incl Subinacl try:
http://technet.microsoft.com/en-us/sysinternals/default.aspxAugust 5, 2011 at 4:38 pm in reply to: Help Please! Web Base Domain user password management using IIS #312757
Re: Help Please! Web Base Domain user password management using IIS
You can enable the IISADMPWD feature on Windows 2003 here:
Re: CMD box just splash then keep disappearing
Check for the existance of the Autoexec.nt file in C:Windowssystem32. Make sure it exists and does not contain any exit commands or other things that may prevent access.