Group policy not working - active-directory

Hi we have two offices at different locations, they are set up on active directory sites and services and the active directory is replicated between the two over a vpn.
I can see all the group policys at the other site and they all look the same but when we log in at the first site they get a default desktop and not the desktop that we have at the first site with programs that are launched at logon.
I guess this must be down to the programs and scripts we have that run on logon but this only happers for some users.
I am not sure what the scripts do currently but i thought i would post this here while im investigating it further incase any of you have encountered anything similar.

Check the domain controller the PCs with the problems are connecting too by running SET at the command prompt of the PC and looking for the logon server
Once you know the logon server or the PC (when it's getting the issue) then open the GPMC and manually connect to this DC (right-click on the Domain and select "Change Domain Controller".
Now check that the GPOs show the settings as expected. If not then it's a replication problem.

Related

BULK INSERT error when the file location changed to remote share

I am getting following error on BULK INSERT after the file location was changed to remote share. Before it used to be a shared folder in local drive and we never ran into this issue. I am running this BULK INSERT from my local PC connecting to SQL Server via SSMS.
I have made sure both SQL server and file permissions are in place.
Before when I ran this command from SSMS, it was \\SQLServer\FTP location which was a shared folder in local drive in that SQL Server but now I changed the file location to a network share \\Fileshare\FTP and have the above error but both SQL service account (domain account) and me (domain account) have elevated permission on that new location.
Any help or suggestions!!
Thanks,
I can identify three circumstances that might generate this issue:
From the SQLAuthority Blog, full detail on a related backup issue where there is a cross-domain link (in this case, from a workgroup to a full domain).
There are also two other possible answers in the question Cannot bulk load because the file could not be opened. Operating system error code 1326(Logon failure: unknown user name or bad password.) here on StackOverflow. We can discount the first one (login permissions) because you stated that you had permissions, but the other solution (I fixed it by adding the SQL Server port number to the connection string in SSIS, forcing SSIS to access SQL Server through TCP/IP instead of Named Pipes.) could apply. Try forcing a connection to the server using TCP/IP.
All of these issues appear to be related to having an attempt at cross-domain communication. If this is the issue with you, one or more of these fixes should be applicable to your issue.
-
It finally worked....
I had to configure Kerberos Authentication following the guide from this link https://thesqldude.com/2011/12/30/how-to-sql-server-bulk-insert-with-constrained-delegation-access-is-denied/.
Of course, I had to make adjustments to suit our environment and had to involve Active Directory Admin for creating SPNs and enabling DELEGATION properties.
Thanks.

Activity Monitor always Paused in SSMS 17.8.1

Whenever I open the Activity Monitor in SQL Server Management Studio 17.8.1(14.0.17277) the overview always switches to (paused). Even if I choose resume, it quickly changes back to paused.
This happens on a variety of SQL Servers and SQL Server versions (2005 through 2016) so I don't believe it is a conflict with old vs new SQL Setups.
I can run Activity Monitor in SSMS 2012 (11.0.2100.60) on the same servers with no error which confirms that the service is actually running and functional.
Any help or insights would be appreciated. I'm not a fan of switching back and forth between two management studios if I can help it. (I uses 17 so I can have context menus when right clicking on items in SSMS which wont work on 2016 servers in older versions of the studio).
I setup a basic SQL login and found that activity monitor was permanently paused for this login. Then I granted this login the "View server state" permission and activity monitor now works. To do this, open up the Security and Logins folders for the relevant server instance, right click a login and choose properties. Choose Securables and you should see all Permissions listed in the bottom pane. Put a tick in the grant column next to "View server state".
Run as administrator helps, but I only see this happen on SQL clusters
However I have found the following somewhere, can't remember where.
And I added the AD group with Sysadmin rights using these steps 1-5
Click Start, click Run, type DCOMCNFG, and then click OK.
In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
In the My Computer Properties dialog box, click the COM Security tab.
Under Launch and Activation Permissions, click Edit Limits.
In the Launch Permission dialog box, select your user and group in the Group or user names box. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.
Seems I don't need to follow step 6-8, so I have not tried these.
Under Access Permissions, click Edit Limits and give Remote Access to your user.
Go to DCOM Config(Expand My Computer), find "Windows Management Instrumentation", right-click and select Properties
In the Security tab, click on Edit under Launch and Activation Permissions, and give your user Remote Launch and Remote Activation.
I experienced the same as Izulien (running v 17.7 of SSMS), in out production environment with my personal user.
Reconnecting to dbs and restarting SSMS did not help.
However I did have access via the sa user to our dev-environment. Using the sa user did the trick in dev, and the same applied for our production environment, leading me to assume that this is connected with privileges/roles on my user.
In the environments that I manage, that only happens when I am using SSMS in a different computer, other than the server where actually the SQL Server ENGINE is installed. That is: SSMS client on a PC, and SQL Server engine/instance in a server. For me, 99% of the time this means: I am in Florida running a local PC Virtual Machine on my personal iMacPro, running SSMS, accessing a SQL Server server in Chicago via VPN.
So, I tend to believe this may be some sort of network timeout that happens..?
This is just a theory of mine. Because, if I actually Remote Desktop into the SQL Server itself and run SSMS locally in the server the Activity Monitor does not pause.
My two cents. Maybe someone can unravel this better.
EDIT: Also, I notice that it's when I expand the processes panel that shortly thereafter it pauses. If I leave the processes panel collapsed it does not happen, or at least not as promptly. AND, interestingly, if I open Activity Monitor, then I do NOT immediately open the process panel and let the graphs run for a while, say, two minutes, and THEN I open the process panel it does not pause anymore.
It seems to be that the initial population of the graphs AND the initial population of the process panel at the same time that cause the problem. At least that's the case for me across the SQL Servers I manage.
R.

Very Confused About SQL Server/SSMS Job Network Access/Accounts

Okay all, the subject is a pretty poor one, but I'm not sure how else to put it. I have Server 2012 with a bunch of jobs, all owned by sa. They all worked fine ever since I began working here in January 2016, but we recently made major changes to our servers. Currently, we have a few servers off the domain, and set up together as a workgroup. They're clones of what we were running before the shakeup, so include all the data/logins. The main difference is that they can't talk to our Active Directory anymore.
Back to SQL Server. Some of the jobs on the server have to read from and write to an FTP folder on one of the servers which is in the same workgroup. That is, both the 2012 server and the FTP server are on the same workgroup, so should talk to each other with no problem. However, some of the jobs keep failing because of logon errors when trying to connect to the FTP server. I'm not using FTP, but rather network locations, like \\1.2.3.4\ftp\folder\file.txt in my job code. This worked perfectly until the servers moved. Skipping the long and confusing reasons why, suffice it to say that this server won't be back in contact with Active Directory for some time. Indeed, letting it be so can't happen until we can shut down its on-domain counterpart. However, we can't do that until I get this working sans domain contact. Again, long story behind that catch-22.
My questions after dealing with all this are:
If the job in question is owned by sa, why do the logs show logon attempts by nt access\network authority?
How/where can I change the username/password the 2012 server is using to talk to the FTP server?
Is there a way I could access the FTP server, given the workgroup setup in place, that's easier than what I'm trying to do now? Sharing settings on the FTP folder, for instance?
Thanks for any explanations anyone can offer. I'm thoroughly confused about permissions, accounts, credentials, and remote access and have no idea where to turn, having googled all of this exhaustively.
I have not worked with servers that were not domain joined, but I have had similar issues when using SSIS accross sub-domains (see original answer below for more detail). I would look at the setup of sql server and see what service accounts were used for the sql database service and the sql agent service (check out https://msdn.microsoft.com/en-us/library/ms143504.aspx). ALso, make sure that the server accounts have permissions to the file system locations (you likely already did that, but just in case).
Original Answer for SSIS Situations ( I misunderstood that the asker wasn't using SSIS):
You might need to set up a proxy to control what account is used. There is a section on proxies in this article that you might find helpful. I suggest reading the entire article, it might shed some light.
https://www.simple-talk.com/sql/database-administration/setting-up-your-sql-server-agent-correctly/

DNN theme not loaded after migration

I'm absolutely new to DNN world, and I have to migrate a bunch of websites from a web server to another.
Following my expectations and some "guide" on the web, i did:
Exported SqlServer databases from old server
Imported all databases in new server
Copied the whole c:\inetput\vhosts directory from old server to the new one
Created manually the vhosts entries in IIS to host the websites (setting the vhost on the httpdocs dir and converting to application the subfolder "portal"
After some problem with app pool, user permissions, database user configurations etc. i reached to get websites running.
But what it happens is that the websites seems to load the default "theme" instead of the one that was using in production server. What did I forgot?
There is likely an Error that is being thrown with the current "skin" so you'll need to get into the Event Viewer (under the admin page) if you can get logged in, or into the EventLog table in the database to see what errors are being thrown.
select top 50 * From eventlog order by logcreatedate desc

Unable to modifiy Active Directory from Test/Production servers

OK since I am in a holding pattern on this issue perhaps someone has seen these symptoms and can provide some sage advice. (Note: I have learned only enough Active Directory information to build this feature and I only have read access to the Active Directory.)
I updated the company intranet to allow the automatic entry/modification of employee phone/address information; it uses a web service to connect to the company Active Directory so I can call it from multiple locations in the main application.
The AD has two domains (A and B) in the same forest. Each domain has an ‘ADS update user’ group and an ‘ADSupdate’ account (which belongs to ‘ADS update user’).
Problem: Entries in Domain A update fine for Local Development Servers, Test Servers, and Production Servers. Entries in Domain B update only when run from Local Development Servers. When you run the same code (verified multiple times) on either Test or Production you get a (General access denied error).
The domain name is stored in the employee record so the exact same code is called for all employees.
All Local Development Servers, Test, and Production servers reside in Domain A.
This has the Active Directory Admin for Domain B stumped and to be honest I am thankful that the Local Development Servers are able to update the Active Directory entries in domain B. It proves that the code works at least in one location
I have looked at machine permissions, permissions on the group and user, and IIS and I can spot no significant differences.
Any help would be appreciated…
Is integrated authentication enabled on any of the web service applications?
Are the production application on domain A installed on a domain controller?
Does the updates from the development workstation work when you call the web service from a remote machine?
This was not caused by any code changes. The Production and Test servers were upgraded and run a newer version of IIS (6.0). The newer version of IIS will not work accross Active Directory domains.
My development machine is running the older version of IIS (5.1)
This explains why everthing was working last year and then suddenly stopped working. There are so few employees in the other domain that it was not immediatly noticed.

Resources