Re: New accounts replicate disabled.

I do that and it works exactly as expected.

G:\>adfind -default -f name=testadminclone useraccountcontrol -samdc

AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=TestAdminClone,CN=Users,DC=test,DC=loc
>userAccountControl: 512 [NORMAL_USER(512)]


1 Objects returned

G:\>adfind -default -f name=testadminclone useraccountcontrol -samdc -h r2dc2

AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006

Using server: r2dc2.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=TestAdminClone,CN=Users,DC=test,DC=loc
>userAccountControl: 512 [NORMAL_USER(512)]


1 Objects returned



The only thing I can think of is that the replication is occurring prior to the enabling happening. As I mentioned before, the account is created disabled and then after that it is enabled. I would find it odd that you would consistently see replication fast enough to get the disabled account across but the enable takes awhile.

Do the accounts get enabled within your replication convergence period?

What does the replication metadata look like on the account on the two servers?

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



chewbacca wrote:
Here's the steps taken....
Find a current employee in AD (account is enabled)
Right click the user in AD select Copy
Fill out the Name and other user info and click OK
Account shows as normal in AD on the server where the acct. was created.
When I go on the second server where the account should be replicated to there is a red circle w/ an X on the account.

When I right click on the account on the server where the account was created I see "Disable Account" meaning the account is enabled according to AD on that server. However, when I right click on the same account on the server where that account replicated to I see "Enable Account" meaning the account is disabled.

Anyone know a good Catholic priest? DEMON BE GONE!


"Joe Richards [MVP]" wrote:

Then the accounts are disabled on both. An account doesn't get created enabled and replicate to another DC and disable. In actual fact, when you get down to the nuts and bolts, accounts are created disabled by all scripts and MSFT tools, then later in the script or tool the account is enabled. Accounts CAN be created enabled, but there aren't many tools that do it properly.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



chewbacca wrote:
Actually it doesn't matter which of the two servers I create the account on. When the account replicates to the other server it's disabled. If I enable it everyone's happy.

"Joe Richards [MVP]" wrote:

Are you saying the account isn't disabled on your secondary DC but is on your primary DC? Are you positive? I mean really positive?

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



chewbacca wrote:
Using Win2K server. When I create an account on our secondary DC in AD it replicates to our primary server but is disabled. Am I missing a setting somewhere that will allow the account to replicate enabled?

Thanks
.

Relevant Pages

  • Re: Different Directory Information Trees
    ... I think that was a DC account password issue that I have since cleaned up. ... I noticed some NTDS Replication 1955 and 1083 errors that come together. ... Weird side-effect I also noticed was that I can no longer launch the Active Directory related Management tools from my workstation unless I use the Active Directory Management MMC. ... I noticed a lot if DNS 4015 errors on the server it appears that the DNS or Active Directory is "busy". ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active directory connector replication between 2 domains
    ... > account with service account admin rights. ... >> General tab? ... >>> I am having a problem with ADC replication between my Ex 5.5 directory ... >>> have the ADC running and one Exchange server 2003 installed. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help - Cant join PC to new domain
    ... I installed a DC (Windows Server 2003 R2) and set up Active Directory ... Tried creating the computer account first and then adding it to the ... Your DNS domain name, "MYDOMAIN" is a single label name. ...
    (microsoft.public.windows.server.dns)
  • Re: Re-Post - "the trust relationship between this workstation and the
    ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... Client computer must use STRICTLY the INTERNAL DNS server which can ... Attr: subschemaSubentry ...
    (microsoft.public.windows.server.active_directory)
  • Re: Same question, still no answer!!!
    ... Sounds then like we are all paying for a feature set only large companies ... The "proxy server" pc is actually an older box stuffed ... Expectation #1) keep the ethernet more or less as is. ... The kids account would be ...
    (microsoft.public.windowsxp.basics)