Tag Archives: active directory

Fix: Cannot demote server Access is denied

When demoting a server from an existent Active Directory you will be prompted for the credentials with an error saying

The Operation failed because: The attempt at remote directory server to remove directory server was unsuccessful. “Access Denied”.

This issue is due to the fact that the object is set with Protect object against Accidental Deletion

To fix this open Active Directory Sites and Services. Find the server which you are trying to demote and expand it. Right click on NTDS Settings and click on Properties. Click on the Object tab and un-tick the Protect object from Accidental Deletion.

Retry the demotion and it will work. If it doesn’t then check the Active Directory Users and Computers and check if the computer account has the Protect object from Accidental Deletion enabled. Make sure to click on Advanced Features.

(4092)

Fix: AzureAD Sync not working Scheduler is already suspended

You will notice that the AzureAD Sync tool stopped synchronizing and in the Office 365 portal under Health Directory Sync Status you will notice the error message Warning: no recent synchronization  under Password Sync.

In Powershell when you run the Start-ADSyncSyncCycle you will get the below error

Warning: no recent synchronization 

Start-ADSyncSyncCycle : System.InvalidOperationException: Scheduler is already
suspended via global parameters.

To fix this, simply open Powershell and run the below command.

Set-ADSyncScheduler -SchedulerSuspended $false

After it completes, re-run Start-ADSyncSyncCycle and it will work.

(9840)

How to: Powershell list all computers in Active Directory

Sometimes you would need to have a list of all the computers joined to the domain in your infrastructure. Instead of going through all the Organizational Units (OUs) in your AD infrastructure and listing all the computers, you can easily use the below Powershell Script.

CLS
Import-Module ActiveDirectory
$ComputerName = get-ADComputer -Filter * | Select -Expand Name
Foreach ($CN in $ComputerName)
{  write-host $CN}

This will type a list of all the computers joined in your AD infrastructure.  Save it to a file with extension PS1 and run it. If you would like to save the output to file simply run the file by adding > filename.txt and replace the write-host with write-output

(584)

How to: Move all FSMO roles on a domain controller

When moving roles, the right way to do it is to view exactly where the roles are at the moment. Firstly to check this one can open the command prompt and use the following command.

Netdom /query FSMO

This will show the roles and who is the owner like below.

C:\Users\Administrator.dom>netdom /query fsmo
Schema master     srv01.mydomain.com
Domain naming master     srv01.mydomain.com
PDC     srv01.mydomain.com
RID pool manager     srv01.mydomain.com
Infrastructure master     srv01.mydomain.com
The command completed successfully.

Now, to change the FSMO owner one must change the settings in the Active Directory Users and Computers, Active Directory Domains and Trusts and Active Directory Schema. This operation would be best to be done on the new server to transfer to.

1. Open the Active Directory Users and Computers and right click on the domain name node, in my case mydomain.com and select Operations Master. Make sure that the entry is the old server on the top dialog box and the new server on the bottom dialog box. Click on the Change button. Switch to the PDC tab and Instrastructure and do the the same operation.

2. Open theActive Directory Domains and Trusts. Right click on the root of the node and select Operations Master. Make sure that the entry is the old server on the top dialog box and the new server on the bottom dialog box. Click on the Change button.

3. Open a command prompt as Administrator and type regsvr32 schmmgmt.dll to register the schema DLL file. Open MMC.EXE and click on File/Add remove Snap-in. Now find the Active Directory Schema from the list. Click on Add and OK. Right-click on the Active Directory Schema node and select Change Active Directory Controller. Select the new server, in this case srv02.mydomain.com. Right-click on the Active Directory Schema node and select Operations Master. Make sure that the entry is the old server on the top dialog box and the new server on the bottom dialog box. Click on the Change button.

If you will run below command, Netdom /query FSMO, you will notice that the roles are now pointing to the new server i.e. srv02.mydomain.com.

 

 

 

(1002)

How to: Clean User’s Active Directory Schema from previous Lync installation

Sometimes when you install a Lync setup and change the server, you might have problems when adding the clients back to the newly created server. Some issues might be that that you cannot log in or mostly you get an error on the management panel on Lync when you enable a user as below:

"RegistrarPool" with identity "1234567890" assigned to "sip:sysadmin@noelpulis.com" has been removed from the configuration store.

You may also encounter the error,

Cannot move user in enable operation. Use the Move user cmdlet instead

To cleanup the user you will need to edit the Active Directory schema. Open the ADSI Edit from your domain controller. Connect as the Default naming context, find the user you need to change (in this case sysadmin) and select properties. Change the below properties to either blank or .

msRTCSIP-ArchivingEnabled
msRTCSIP-FederationEnabled
msRTCSIP-InternetAccessEnabled
msRTCSIP-OptionFlags
msRTCSIP-PrimaryHomeServer
msRTCSIP-PrimaryUserAddress
msRTCSIP-UserEnabled
msRTCSIP-UserPolicies

After you set the below, exit the ADSI Edit and retry on Lync. The user should be able to work.

(7521)