Configure Primary/Secondary Time Source for Clients

September 30, 2018, 7:12 am

≫ Next: Upgrading Active Directory from 2008 R2 to 2016

≪ Previous: Question regarding SID History filtering

Dear Support,

Normally I have used command from CMD: w32tm /query /status

To check the time source, <g class="gr_ gr_296 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="296" id="296">currently</g> all clients are pointing to PeerDC. If<g class="gr_ gr_366 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="366" id="366">PeerDC</g> under maintenance, all clients unable to sync the time.

On <g class="gr_ gr_698 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="698" id="698">client</g> I check by command, the source still <g class="gr_ gr_663 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="663" id="663">ponit</g> to peerDC which already in maintenance.

How can I configure on Client auto switch <g class="gr_ gr_749 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="749" id="749">timesource</g> to rootDC incase PeerDC unavailable?

Thank you,
Hoang

↧

Upgrading Active Directory from 2008 R2 to 2016

September 30, 2018, 5:07 am

≫ Next: Access denied trying to add a computer alias

≪ Previous: Configure Primary/Secondary Time Source for Clients

Hello Folks,

Can anyone outline few steps for upgrading the active directory from windows server 2008 R2 to windows server 2016 with some prerequisites.

One more query can we add 2016 as a domain controller to 2008 R2 domain forest ?

My plan is to create a new server of win 2016 and join to the existing server and promote it to the domain controller.

Then move the roles from 2008 r2 to 2016 r2.

Appreciate your replies.

Thanks !

↧

Access denied trying to add a computer alias

September 30, 2018, 4:36 am

≫ Next: SASL GSS-API Integrity

≪ Previous: Upgrading Active Directory from 2008 R2 to 2016

Hello,

Running netdom computername <COMPUTER> /add:<ALIAS> as domain admin I got "Access denied". I have verified the user has full control on msDS-AdditionalDnsHostName for <COMPUTER>.

What puzzles me is the DNS entry is not created but netdom computername <COMPUTER> /enum shows <ALIAS> in the name list, but msDS-AdditionalDnsHostName is set to <none> (I don't know what value must hold after a successful /add)

netdom computername drogon /add:drogon1.domain.local
Unable to add drogon1.domain.local
as an alternate name for the computer.
The error is:
Access is denied.
The command failed to complete successfully.

netdom computername drogon /enum
All of the names for the computer are:
drogon.domain.local
drogon1.domain.local
The command completed successfully.

Thank you in advance.

↧

SASL GSS-API Integrity

September 30, 2018, 2:11 pm

≫ Next: DC replicate issue: Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set

≪ Previous: Access denied trying to add a computer alias

Any idea what this err means?

Lightweight Directory Access Protocol

SASL Buffer Length: 133

SASL Buffer

GSS-API Generic Security Service Application Program Interface

GSS-API payload (60 bytes)

LDAPMessage

BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected

[Expert Info (Warning/Malformed): BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected]

[BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected]

<Message: BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected>

[Severity level: Warning]

[Group: Malformed]

↧

DC replicate issue: Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set

October 1, 2018, 12:03 am

≫ Next: Any limitations Or disadvantages with using msds-memberoftransitive?

≪ Previous: SASL GSS-API Integrity

Hi experts,

My secondary DC(Domain Controller) does not have any objects in Computers and Users OUs(Organization Unit). I ran dcdiag and found the error: “Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set”.

I google and found two links mentioning about permission issues but they do not mention the location very clearly, please help.

http://www.squidworks.net/2013/02/solved-dcdiag-fails-for-ncsecdesc-test-and-adprep-rodcprep-fails-to-fix-it/

https://mpgnotes.wordpress.com/tag/error-nt-authorityenterprise-domain-controllers-doesnt-have-replicating-directory-changes-in-filtered-set-access-rights-for-the-naming-context-dcforestdnszonesdcdomainxxxdcxxx-security-permi/

Is it in ADSI Edit -> Configuration[qrdcsapdc7.qcisap.corp] -> CN=Configuration,DC=qcisap,C=corp -> properties -> Security -> ENTERPRISE DOMAIN CONTROLLER -> Advanced -> Auditing -> Administrators -> Edit? Should it have only five permissions here?

Is there any Microsoft documents mentioning this?

------ dcdiag ------

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

Home Server = qrdcsapdc7

* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\QRDCSAPDC7

Starting test: Connectivity

......................... QRDCSAPDC7 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\QRDCSAPDC7

Starting test: Advertising

......................... QRDCSAPDC7 passed test Advertising

Starting test: FrsEvent

......................... QRDCSAPDC7 passed test FrsEvent

Starting test: DFSREvent

......................... QRDCSAPDC7 passed test DFSREvent

Starting test: SysVolCheck

......................... QRDCSAPDC7 passed test SysVolCheck

Starting test: KccEvent

......................... QRDCSAPDC7 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... QRDCSAPDC7 passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... QRDCSAPDC7 passed test MachineAccount

Starting test: NCSecDesc

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=ForestDnsZones,DC=qcisap,DC=corp
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=DomainDnsZones,DC=qcisap,DC=corp
......................... QRDCSAPDC7 failed test NCSecDesc

Starting test: NetLogons

......................... QRDCSAPDC7 passed test NetLogons

Starting test: ObjectsReplicated

......................... QRDCSAPDC7 passed test ObjectsReplicated

Starting test: Replications

......................... QRDCSAPDC7 passed test Replications

Starting test: RidManager

......................... QRDCSAPDC7 passed test RidManager

Starting test: Services

Invalid service startup type: DFSR on QRDCSAPDC7, current value

DISABLED, expected value AUTO_START

DFSR Service is stopped on [QRDCSAPDC7]

......................... QRDCSAPDC7 failed test Services

Starting test: SystemLog

......................... QRDCSAPDC7 passed test SystemLog

Starting test: VerifyReferences

......................... QRDCSAPDC7 passed test VerifyReferences

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : qcisap

Starting test: CheckSDRefDom

......................... qcisap passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... qcisap passed test CrossRefValidation

Running enterprise tests on : qcisap.corp

Starting test: LocatorCheck

......................... qcisap.corp passed test LocatorCheck

Starting test: Intersite

......................... qcisap.corp passed test Intersite

------ showrepl.csv ------

showrepl_COLUMNS	Destination DSA Site	Destination DSA	Naming Context	Source DSA Site	Source DSA	Transport Type	Number of Failures	Last Failure Time	Last Success Time	Last Failure Status
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC3	DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC7	RPC	0	0	2018/10/1 13:40	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC3	CN=Configuration,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC7	RPC	0	0	2018/10/1 12:57	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC3	CN=Schema,CN=Configuration,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC7	RPC	0	0	2018/10/1 12:57	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC3	DC=DomainDnsZones,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC7	RPC	0	0	2018/10/1 12:57	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC3	DC=ForestDnsZones,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC7	RPC	0	0	2018/10/1 12:57	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC7	DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC3	RPC	0	0	2018/10/1 13:40	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC7	CN=Configuration,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC3	RPC	0	0	2018/10/1 12:51	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC7	CN=Schema,CN=Configuration,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC3	RPC	0	0	2018/10/1 12:51	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC7	DC=DomainDnsZones,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC3	RPC	0	0	2018/10/1 12:51	0
showrepl_INFO	Default-First-Site-Name	QRDCSAPDC7	DC=ForestDnsZones,DC=qcisap,DC=corp	Default-First-Site-Name	QRDCSAPDC3	RPC	0	0	2018/10/1 12:51	0

↧

Any limitations Or disadvantages with using msds-memberoftransitive?

September 27, 2018, 11:33 pm

≫ Next: domain name in windows server 2012 R2

≪ Previous: DC replicate issue: Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set

Hi,

Using msds-memberoftransitive attribute to get direct and transitive(nested) group membership of users. Would like to know if anyone there using it and any limitations with using msds-memberoftransitive attribute?

Comparing with nested group search control "member:1.2.840.113556.1.4.1941", msds-memberoftransitive is quite fast. Other way, any limitations Or disadvantages with msds-memberoftransitive attribute?

Question could be too generic, but looking at responses from others experience.

As these are two different approaches, any recommendation on when to use which approach?

Thanks,

Lokesh

↧

domain name in windows server 2012 R2

October 1, 2018, 1:45 am

≫ Next: Logon Failure: the target account name is incorrect

≪ Previous: Any limitations Or disadvantages with using msds-memberoftransitive?

can we create abc.local as domain name while instillation active directory.

Arvind

↧

Logon Failure: the target account name is incorrect

December 6, 2011, 4:59 am

≫ Next: How to Renewal CA root certificate

≪ Previous: domain name in windows server 2012 R2

hi all,

we have got one domain controller (2003 sp2) with small no of PCs added to it.

now if im trying to add new workstation (2008R2) it says the above message. and also if i try to add as a domain controller, it gives the same error "Logon Failure: the target account name is incorrect".

there is no PCs for the same name. no duplications and also tried with different user credentials.

anyone gone through this?

thanks

↧

How to Renewal CA root certificate

September 17, 2018, 12:26 am

≫ Next: How to add IP to domain controller

≪ Previous: Logon Failure: the target account name is incorrect

Dear Team,

we are using Certification Authority local server in Windows Server 2008 R2 standard.

In our root certificate will go to expire on next month.

please help us to renew the Root certificate.

in this certificate is used in Domain controller & Exchange.

Regards, Pradhap P

↧

How to add IP to domain controller

September 17, 2018, 11:08 pm

≫ Next: CA Certificate - Windows Server local network

≪ Previous: How to Renewal CA root certificate

How to add IP to domain controller

↧

CA Certificate - Windows Server local network

September 18, 2018, 9:05 am

≫ Next: Active directory

≪ Previous: How to add IP to domain controller

Good afternoon,

I have a question about the CA Certificates issued in Windows Server for Web sites.

The situation I have is as follows:

I have a server outside the X.int domain (Wserver), and another server within the X.int domain (Eserver). The Wserver server has several hosted sites that will be queried only by computers/users within the X.int domain.
At this point i need to change to https, and it is necessary to have a "trusted certificate", but at this moment i receive the indication that the a page is not secure.
Is there any way to issue a trusted certificate from Wserver or Eserver (or some alternative, maybe with a gpo for example)?

↧

Active directory

September 19, 2018, 5:54 pm

≫ Next: User with no information on whoami tool

≪ Previous: CA Certificate - Windows Server local network

Hello

I have some questions. Please answers me on your own words

1- I have two forests. abc.com and xyz.com. I want to move all objects from abc.com to xyz.com. is it possible or not? If possible then how?

2- this question is relevant to active directory site and services. Please tell me KCC works only on additional domain controller or it works on both sites. domain controller site and additional domain controller site.

3- I have one forest. In this forest I have one root domain and two more parent domains. Can I transfer schema master role and domain naming master role from root domain to any parent domain? If yes then how?

↧

User with no information on whoami tool

September 20, 2018, 10:04 am

≫ Next: Configure Site and Site link for multiple site

≪ Previous: Active directory

See belo,w the weirdest thing: the whoami tool does not report any information:

Windows10/1511

C:\Users\mjordao>whoami
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /user
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /SID
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /GROUPS
DOMAIN\MJORDAO

C:\Users\mjordao>whoami /?
DOMAIN\MJORDAO

As you can see, no output at all

tests i did:

1) psloggedon shows correct SID of the user

2) if i copy/clone/duplicate the user, no problem

3) If i open the CMD as admin, the SIDs are all there, no problem

4) Several logofss and reboots

The problem came up after usier complaining about a specific sub-sub-folder of a multi-terabyte file server and the user can read and write with no problem, during the investigation, i noticed that the behaviour is consisten like the user hasn´t anymore member of any group (access denied on folder) but in many other folders under the same mapped drive letter, the access is ok

whic tools can I use to check for kerberos tokens, groups, etc?

↧

Configure Site and Site link for multiple site

September 20, 2018, 10:55 pm

≫ Next: Authentication error on RODC in DMZ site

≪ Previous: User with no information on whoami tool

Hello Team,

Please help me or suggest we have 10 sites in we want configure active directory site and services for 10 site , how can we create site link and site for replication for main DC ? all sites connected through MPLS link.

↧

Authentication error on RODC in DMZ site

September 24, 2018, 3:23 am

≫ Next: Monitor AD replciation

≪ Previous: Configure Site and Site link for multiple site

Hi All,

I have this procedure to join offline a server in DMZ to a 2012r2 domain on lan

LOG ON PDC
CMD (ADMIN)
djoin /provision /domain ourdomain /machine nameserver /savefile c:\a.txt
VERIFY THE CREATION OF THE ACCOUNT UNDER THE OU COMPUTER
Force the replication
LOG on server
COPY THE FILE CREATED IN THE SAME PATH
Change DNS: DMZ DNS (RODC)
CMD (ADMIN)
djoin /requestodj /loadfile c:\a.txt /windowspath %systemroot% /localos
RESTART SERVER
Change ou from computer to DMZ ou
Force replication
Add the new SERVER to ALLOWED RODC PASSWORD REPLICATION GROUP
Add new server on dns (DC1 and DC2)
Force replication

This join procedure it's ok , but on some joined server, when I try to log on , I receive this error:
"There are currently no logon server available to service the logon request"

Other information:
The nslookup it's ok from rodc and DC1 and DC2
No error launching the DCDIAG on DC1 , DC2 and RODC

Have you any ideas?

Regards

↧

Monitor AD replciation

October 1, 2018, 3:08 am

≫ Next: SYSVOL and NETLOGON not shared after dcpromo

≪ Previous: Authentication error on RODC in DMZ site

Dears,

We have an Active Directory that we think it has been breached.

Now we are planning a scenario to move to a different network, but in order to have the same AD we need to create a second DC then migrate the FSMO roles.

Is there any tool from Microsoft to scan the replication for any malicious activity or users during the replication?

Best Regards,

↧

SYSVOL and NETLOGON not shared after dcpromo

February 3, 2010, 7:42 am

≫ Next: Demoting only 2003 DC from root domain (Forest and domain functional level 2003)

≪ Previous: Monitor AD replciation

Hello people,
Domain with a Windows 2003 Server SP2 32 Bits Spanish Domain Controller (DC1). Ive added a new domain controller (DC2) with Windows 2003 Server SP2 R2 Spanish 64 Bits (adprep /forest and /domain ok before).
There arent sysvol and netlogon as shared folders, and of course there is nothing in it in the domain name folder.

In the DC2, there are some 13508 NTFRS error id in the event viewer (not the 13509), against the first domain controller DC1.

In the DC1, there are 13568 NTFRS errors, about DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

Any ideas???

thanks in advanced

↧

Demoting only 2003 DC from root domain (Forest and domain functional level 2003)

October 1, 2018, 2:20 am

≫ Next: Authoritative and non authoritative restore

≪ Previous: SYSVOL and NETLOGON not shared after dcpromo

Dear All,

I need your experts help in clarifying my doubt regarding the demotion of 2003 server from the root domain.

Below is example of my environment.

I am planning to demote rootdc01.abc.com (Win svr 2003)

My question is as follows.

My forest and Domain functional level is at 2003. I have only one 2003 server in root domain.

What will happen if i demote the 2003 server from root domain, would there be any impact to the root domain or subdomains? can i go ahead to demote 2003?

Root Domain (Forest functional level 2003 & Domain functional Level 2003)

rootdc01.abc.com (Win svr 2003)
rootdc02.abc.com (PDC) (Win svr 2008)
rootdc03.abc.com (Win svr 2008)
rootdc04.abc.com (Win svr 2008)

sub domain 1

svrdc01.us.abc.com (Win svr 2008)
svrdc02.us.abc.com (Win svr 2008)
svrdc03.us.abc.com (Win svr 2008)
svrdc04.us.abc.com (Win svr 2003)
svrdc05.us.abc.com (Win svr 2008)
svrdc06.us.abc.com (Win svr 2003)
svrdc07.us.abc.com (Win svr 2008)

sub domain 2

ddsvrdc01.ch.abc.com (Win svr 2003)
ddsvrdc02.ch.abc.com (Win svr 2008)
ddsvrdc03.ch.abc.com (Win svr 2008)
ddsvrdc04.ch.abc.com (Win svr 2003)
ddsvrdc05.ch.abc.com (Win svr 2008)
ddsvrdc06.ch.abc.com (Win svr 2008)
ddsvrdc07.ch.abc.com (Win svr 2008)

sub domain 3

ccsvrdc01.uk.abc.com (Win svr 2008)
ccsvrdc02.uk.abc.com (Win svr 2008)
ccsvrdc03.uk.abc.com (Win svr 2008)
ccsvrdc04.uk.abc.com (Win svr 2008)
ccsvrdc05.uk.abc.com (Win svr 2003)
ccsvrdc06.uk.abc.com (Win svr 2008)
ccsvrdc07.uk.abc.com (Win svr 2003)

Thank you all in advance.

↧

Authoritative and non authoritative restore

October 1, 2018, 12:48 pm

≫ Next: Authoritative and non authoritative system state backup restore

≪ Previous: Demoting only 2003 DC from root domain (Forest and domain functional level 2003)

Hello

Please define me about authoritative and non authoritative in your own words with example. thanks

Regards

↧

Authoritative and non authoritative system state backup restore

October 1, 2018, 12:48 pm

≫ Next: Duplicate SPN

≪ Previous: Authoritative and non authoritative restore

Hello

Please define me about authoritative and non authoritative system state backup restore in your own words with example. thanks

Regards

↧