Not’s the first time I write talking about how to configure time service on Domain Controllers. With the below actions, you can reset time service settings and configure it to find the NTP Server (PDC is the best practice to configure as corporate NTP Server).
So let’s reset the time service on the non-PDCs back to their default:
net stop w32time
net start w32time
Then set the non-PDCs to sync to the default time hierarchy:
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
To check the status use:
w32tm /query /status
If you have configured Password write back on your AD Connect server or your users are cloud users, users are enabled to change their corporate password from Office 365 portal. To change the password from Office 365 follow the below steps:
Go to office 365 portal and login with your user account. Once done, push on Settings -> Password.
On Security and privacy push on Password.
On the new windows insert your actual password and the new password twice. Push on Send.
Once donde, you can use the new password where you want, on-premise and cloud.
A few days ago, someone deleted users in Azure with the following comand:
Get-MsolUser -UserPrincipalName SEPR0002@domain.com | remove-msoluser
Automatically, AD Connect has started to say that an object is phantom.
The problem has been fixed automatically 24 hours after.
These days I’m creating an Hybrid Exchange environment with O365 where we are going from Ex 2007 to Ex 2013 and one of the prerequisites is prepare AD for that.
After copy exchange binaries to a DC with FSMO roles, execute the following lines:
.\Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
.\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
.\Setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms
When finished, check that replications are all ok with:
To finish validate your upgrades cheking version number of everyone with these powershell lines, faster than go to ADSIEdit and seek there.
# Exchange Schema Version
$sc = (Get-ADRootDSE).SchemaNamingContext
$ob = “CN=ms-Exch-Schema-Version-Pt,” + $sc
(Get-ADObject $ob -pr rangeUpper).rangeUpper
# Exchange Object Version (forest)
$cc = (Get-ADRootDSE).ConfigurationNamingContext
$fl = “(objectClass=msExchOrganizationContainer)”
(Get-ADObject -LDAPFilter $fl -SearchBase $cc -pr objectVersion).objectVersion
# Exchange Object Version (domain) – assumes single domain forest
$dc = (Get-ADRootDSE).DefaultNamingContext
$ob = “CN=Microsoft Exchange System Objects,” + $dc
(Get-ADObject $ob -pr objectVersion).objectVersion
To enable Recycle bin feature in ADDS 2008 R2 you need to do the following steps:
- Connect to a domain controller and open Active Directory Module for Powershell.
- Execute the command: Get-ADOptionalFeature ‘recycle bin feature’.With this line you can see if Recycle bin is enabled or not if EnabledScopes is blank.
- Copy DistinguishedName showed on the executed command and execute the following command: Enable-ADOptionalFeature -identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=YourDomainXXX,DC=XXX’ -Scope ForestOrConfigurationSet -Target ‘YourDomainXXX.XXX’
- Push Y.
Checking and ADDS 2008 R2 I saw the following error in Eventvwr:
AD Replication Monitoring : encountered a runtime error.Failed to obtain the InfrastructureMaster using a well known GUID.The error returned was: ‘Failed to get the ‘fSMORoleOwner’ attribute from the object ‘LDAP://DC1.YourDomainXXX.XXX/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=ForestDnsZones,DC=YourDomainXXX,DC=XXX>’.The error returned was: ‘There is no such object on the server.’ (0x80072030)’ (0x80072030)
To solve it I did the following actions:
- Open Adsi Edit and connect to Configuration Naming Context.
- Go to CN=NTDS Settings,CN=YourServerNameXXX,CN=Servers,CN=YourSiteXXX,CN=Sites,CN=Configuration,DC=YourDomainXXX,DC=XXX and right click on properties.
- Seek distinguishedName, push View button and copy all the line.
- Connect to DC=ForestDnsZone,DC=YourDomainXXX,DC=XXX and right click Properties over CN=Infrastructure.
- Seek fsMORoleOwner and push Edit.
- Erase the line and paste the line copied steps before. Push OK.
- Open a new connection to DC=DomainDnsZones,DC=YourDomainXXX,DC=XXX and repeat same steps.
Your Warnings with ID 1000 will disappear.
These days I’m checking an ADDS 2008 R2 forest. and when I did a dcdiag I saw the tipicall error in the NCSecDesc test :
* Security Permissions Check for C=ForestDnsZones,DC=domainXXX,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=domainXXX,DC=XXX
* Security Permissions Check for DC=DomainDnsZones,DC=domainXXX,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=domainXXX,DC=XXX
This error not`s important if you don’t want to implement RODC but anyway you have two options to solve it:
As Microsoft says you can follow this article to fix it:
But if you want to fix it manually you can do the following steps:
- Open Adsi Edit and Connect to the connecting point: DC=ForestDnsZoones,DC=DomainXXX,DC=XXX
- Over DC=ForestDnsZoones,DC=DomainXXX,DC=XXX right click and select Properties.
- In Security Tab push on Advanced.
- Select Enterprise Domain Controllers with Replicating Directory Changes and push Edit.
- Select Allow checkbox to Replicating Directory Changes In Filter Set and Apply to This object and all descendant objects, also select Apply these permissions to objects and/or contaniers within this container only.
- Connect to C=DomainDnsZones,DC=domainXXX,DC=XXX and do the same actions.