Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Account Lockout

$
0
0

Hi Experts,

I have AD account on which I have to perform my daily tasks such as login into the remote desktop, scheduler and other tasks.

From past 10 days, my account gets locked daily in the evening around 5:45 to 6:00 PM and daily I have to unlock it which is painful activity.

For troubleshooting purpose I have referred https://activedirectorypro.com/account-lockout-tool/ and performed and RND but unable to understand the real issue.

First I have check that the Orig Lock (Using Lockout Status tool)  is one of my domain so I just check event id on that domain controller for event  4740 and caller Computer name is "CSAPL-NMS" so next I log on the caller computer name and filter event 4625 but unable to find any relevant event to find more description of service on which caller computer is performed.

During review log on caller computer name "CSAPL-NMS" i have found event id 4648 and found that one of Windows Server 2003 name as "cs-new-hrms" is target server.

All the relevant screenshots and logs.

https://crescentpk-my.sharepoint.com/:f:/g/personal/osama_mansoor_crescent_com_pk/EtZfe2oWyF9BqRxgQGzAXfIB_qs5IT83i98u26SZ3eyzzQ?e=c9sc03






Office 365 vs Google Apps

$
0
0
Hi Team,

Today we had a discussion with my friends about "Office 365 vs Google Apps", can anyone tell good reasons to move from Google Apps to O365.

please share any documents if you have regarding !!


Thanks in Advance !!

NTRao.

Authentication error on RODC in DMZ site

$
0
0
Hi All,

I have this procedure to join offline a server in DMZ to a 2012r2 domain on lan


LOG ON PDC
CMD (ADMIN)
djoin /provision /domain ourdomain /machine nameserver /savefile c:\a.txt
VERIFY THE CREATION OF THE ACCOUNT UNDER THE OU COMPUTER
Force the replication
LOG on server
COPY THE FILE CREATED IN THE SAME PATH
Change DNS: DMZ DNS (RODC)
CMD (ADMIN)
djoin /requestodj /loadfile c:\a.txt /windowspath  %systemroot% /localos 
RESTART SERVER
Change ou from computer to DMZ ou
Force replication
Add the new SERVER to ALLOWED RODC PASSWORD REPLICATION GROUP
Add new server on dns (DC1 and DC2)
Force replication

This join procedure it's ok , but on some joined server, when I try to log on , I receive this error:
"There are currently no logon server available to service the logon request"

Other information:
The nslookup it's ok from rodc and DC1 and DC2
No error launching the DCDIAG on DC1 , DC2 and RODC


Have you any ideas?

Regards

Promoting a dc at remote sites issues Please help

$
0
0

Hi All,

Been trying to add new DC at remote site which is connected through vpn to no success,  there was a dc previously and was demoted ( by a previous admin), now i want to add new DC for faster logon, when try to add the new DC, i got this error message : The number of DNS servers registered as authoritative name servers for this domain could not be determined. Error: This operation returned because the timeout period expired, when i checked dcpromo logs,

Dns_DoesDomainHostDns testing domain name net
   SOA query failed with error code 1460
   Dns_DoesDomainHostDns returning true with error 1460
   Found parent domain hosting DNS at net
  Dns_CountParentNsRecordsForDomain performing NS query for net
  NS query returned 1460 for domain test.com, parent net
  Dns_CountParentNsRecordsForDomain failed with error 1460 returning count 0 for domain test.com, parent com
  Dns_CountNsRecordsForDomain performing NS query for test.com
   Sending targetted NS query to 10.100.55.5
  Sending targetted NS query to 10.100.65.10
dcpromoui 420.8E8 0471 00:53:30.984   Sending targetted NS query to 10.100.55.5
dcpromoui 420.8E8 0472 00:53:43.043   Sending targetted NS query to 10.100.65.10
dcpromoui 420.8E8 0473 00:53:55.103   Found NS record with target dc1.test.com
dcpromoui 420.8E8 0474 00:53:55.103   Found NS record with target dc2.test.com
dcpromoui 420.8E8 0475 00:53:55.103   Found NS record with target dc3.test.com
dcpromoui 420.8E8 0476 00:53:55.103   Found NS record with target dc4.test.com
dcpromoui 420.8E8 0477 00:53:55.103   Found non-NS record of type 1
dcpromoui 420.8E8 0478 00:53:55.103   Found non-NS record of type 1
dcpromoui 420.8E8 0479 00:53:55.103   Found non-NS record of type 1
dcpromoui 420.8E8 047A 00:53:55.103   Found non-NS record of type 1
dcpromoui 420.8E8 047B 00:53:55.103   Dns_CountNsRecordsForDomain failed with error 1460 returning count 4 for domain test.com
dcpromoui 420.8E8 047C 00:53:55.103   HRESULT = 0x800705B4

i have followed these recommendations :

How to force Kerberos to use TCP instead of UDP in Windows

http://support.microsoft.com/kb/244474

Change the Default Maximum Transmission Unit (MTU) Size Settings for PPP Connections or for VPN

http://support.microsoft.com/kb/826159

Kindly assist

Regards,

O365 Unlicensed product after password change. Need to automate.

$
0
0

Unlicensed product happens frequently Licensing and activation in Office 365 ProPlus Reduced functionality mode. This happens every time a user changes their password. We use ADFS. The old credentials stay in credential manager so the users get an unlicensed product error. To fix we delete cached credentials. Is there any way to prevent this from happening? No other Office installed on the computers - The users are indeed licensed in O365 portal - Signed in using domain account - Fixed by deleting cached credentials and running the ospp.vbs script. I am looking for a way to automate this process.

Enable Active Directory Recycle Bin

$
0
0

Dears

I have two domain controllers (DC1 , DC2 ) .

DC1 has the RID, PCD, Infrastructure Roles.

DC2 Has the Schema master and domain naming roles.

in DC1 i can open AD administrative Center , when i click on enable AD Recycle Bin i get the below Error .

Enable-ADOptionalFeature : Unable to contact the server. This may be because this server does not exist, it is
currently down, or it does not have the Active Directory Web Services running.

I tried too many things but nothing help me ( i got the same error when using Powers hell ).

On DC2 when I am trying to open the AD administrative Center i got the below Error

cannot connect to any domain try again when the connection is available

i can ping the names for each server all DNS setting is correct

please if anyone face the same problem and solve it  kindly reply to me

Roaming User Profile Not Completely Synchronized on Windows Server 2016

$
0
0

I've set up a little test domain as I am an intern at a corporation and we have to set up these servers throughout our internship so the people we work for know we are ready for the exam when that time comes. I've made the profile path for the users to \\Server\profile$ but whenever I try to log out or log in on one of the accounts I've made I get the message Roaming User Profile Not Completely Synchronized. I'm not sure why I get this message, but everything I do and save on the server from the users does get saved on the server. I think I get the error message by some bug. Have anyone experienced anything like this before? Thanks beforehand. 

-RBye1

LastlogonTimestanmp Shows Future Date - showobjectmeta shows f191c38d-bdea-4cb4-862d-24ed6f996ed1 instead of DC Name

$
0
0

I have several machines that show a last logon in the future.

I ran repadmin /showobjmeta DC "OU Paths" >temp.txt and the output for the DC looks like a GUID.

Loc.USN                          Originating DSA                       Org.USN  Org.Time/Date            Ver Attribute

38623490      f191c38d-bdea-4cb4-862d-24ed6f996ed1   3555424 2032-04-21 08:22:12   78 lastLogonTimestamp

Should be something like

38623490                             City\DCNAME                      3555424 2018-10-03 08:22:12   78 lastLogonTimestamp


Is there a way to get AD to report correctly.



- LZ



Do I have a disjointed Domain

$
0
0

My domian FQDN is domain.domaindumb.com, my NetBios Domain is domain. Do I have a disjointed Domain?

The link below says "NetBIOS name of domain controller differs from subdomain of its DNS domain name   The NetBIOS domain name of the domain controller isn't the same as the subdomain of the DNS domain name of that domain controller."

Disjoint namespace scenarios

https://technet.microsoft.com/en-us/library/bb676377%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396#View

HOSTNAME is name of the DC

USERDNSDOMAIN=DOMAIN.DOMAINDUMB.COM
USERDOMAIN=DOMAIN
USERDOMAIN_ROAMINGPROFILE=DOMAIN
USERNAME=noob

Domain network connection is detected as Public

$
0
0

Hi,

I disabled in hyper-v virtual switch option "Allow management operating system to share this connection" to have dedicated psychical network adapter for my virtual guest  - domain controller 2012 r2. But after that, on domain my network connection is treated as "Public" not Domain. I tried to change this using command:

"Set-NetconnectionProfile -InterfaceAlias Ethernet -NetworkCategory Domain"

but I get error: Unable to set NetworkCategory to 'DomainAuthenticated'.  This NetworkCategory type will be set automatically when authenticated to a domain network.

I asked in hyper-v forum already but did not get any help. Please help.


Zombie AD DC appearing in dfsrmig proccess

$
0
0

A long time ago, we had a specific DC, removed by an unexperienced admin, so we had to remove all related objects, mannually, using Sites And Services tool, and making sure that all old objects were also removed, like deleting DNS records and also checking ntdsutil/metadata cleanup procedure

So, now, í´m migrating from FRS to DFS-R and, the mig tool is showing references of the old (and previously removed AD/DC)

dfsrmig /getMigrationState

The following Domain Controllers are not in sync with Global state ('Redirected'):

Domain Controller (Local Migration State) - DC Type
===================================================

OLD_SERVER_NAME ('Start') - Writable DC

OTHER1 ('Start') - Writable DC

OTHER2 ('Start') - Writable DC

Where the heck this reference is coming?

As far as I konow, this old server never had DFS Namespace amd maybe it had DFS replication for file services purposes, but anyway, why this old refernces are there, if we got rid of this old DC/AD a long time ago? (now we have Win2008R2, WIn2012R2 and WIn2016, but at the time of the removal of this old DC, there were only WIn2008R2)

Also the NETDOM QUERY DC also shows the name of this old Server too...

SYSVOL replication unknown server

$
0
0

I noticed that we have two unknown servers in our sysvol replication and I was wondering where it is possible to remove the two unknown servers. I haven't found any documentation that enplanes how to do it.

    

Access denied trying to add a computer alias

$
0
0

Hello,

Running netdom computername <COMPUTER> /add:<ALIAS> as domain admin I got "Access denied". I have verified the user has full control on msDS-AdditionalDnsHostName for <COMPUTER>.

What puzzles me is the DNS entry is not created but netdom computername <COMPUTER> /enum shows <ALIAS> in the name list, but msDS-AdditionalDnsHostName is set to <none> (I don't know what value must hold after a successful /add)

netdom computername drogon /add:drogon1.domain.local
Unable to add drogon1.domain.local
as an alternate name for the computer.
The error is:
Access is denied.
The command failed to complete successfully.

netdom computername drogon /enum
All of the names for the computer are:
drogon.domain.local
drogon1.domain.local
The command completed successfully.

Thank you in advance.

domain name in windows server 2012 R2

$
0
0

Hi

can we create abc.local as domain name while instillation active directory.


Arvind

SASL GSS-API Integrity

$
0
0

Any idea what this err means? I am seeing the err using Wireshark on a desktop that's a domain member. The err happens after netlogon starts.

Lightweight Directory Access Protocol

    SASL Buffer Length: 133

    SASL Buffer

        GSS-API Generic Security Service Application Program Interface

        GSS-API payload (60 bytes)

            LDAPMessage

                BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected

                    [Expert Info (Warning/Malformed): BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected]

                        [BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected]

                        <Message: BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected>

                        [Severity level: Warning]

                        [Group: Malformed]

                    <Malformed Packet>



Maximum Password length

$
0
0
I was trying to set the maximum password length for user accounts in the AD. I know I can set the minimum password length using GPO, but is there a way that I can set a maximum and a minimum password length for a user? For instance, I want a minimum password length to be 3 and the maximum to be 20.

Resolve Netbios Domain\SUFIX???

$
0
0

I am unable to resolve my Netbios (I think) domain. My lovely FQDN is domain.domaindumb.com. NSLookup for FQDN resolves. NSLookup of domain resolves. Am I able to resolve domain because I'm using DNS, how is so? I have zero Append These DNS suffix. Do i need two search suffixes? No WINS.

Client DHCP - WITH ERR, please help  :)

Append Primary and secondary DNS suffix  and Append parent checked.

register this connections DNS suffix checked 

Append these DNS suffixes (in order) - NOTHING??

>nslookup domain

my 4 DC show up...192.168.2.0/20

ping domain reply's 4 times to good IP

primary DNS suffix is domain.domaindumb.com

userdomain=domain

userdnsdomain=domain.domaindumb.com

C:\Users\jbob00>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 000-win10
   Primary Dns Suffix  . . . . . . . : domain.domaindumb.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.domaindumb.com

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : domain.domaindumb.com
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0C-29-F3-B8-F5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.33.77(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Lease Obtained. . . . . . . . . . : Friday, September 28, 2018 3:58:04 PM
   Lease Expires . . . . . . . . . . : Friday, October 5, 2018 3:58:04 PM
   Default Gateway . . . . . . . . . : 192.168.32.1
   DHCP Server . . . . . . . . . . . : 192.168.32.1
   DNS Servers . . . . . . . . . . . : 192.168.2.104
                                       192.168.2.105
                                       192.168.2.61
   NetBIOS over Tcpip. . . . . . . . : Enabled

IPconfig from server is same as above but IP 192.168.2.0/20 - 255.255.255.240.0 and static 

i get denied access to \\10.2.115.251\printers(member server, different subnet) from a win10 box as a domain\jbob00 which has read access in both spots.

Wireshark shows 

 NT Status: STATUS_NO_LOGON_SERVERS (0xc000005e)

        Command: Session Setup (1)

        Credits granted: 1

        Flags: 0x00000001, Response

        Chain Offset: 0x00000000

        Message ID: Unknown (2)

        Process Id: 0x0000feff

        Tree Id: 0x00000000

        Session Id: 0x0000d0017400005d Acct:jbob00 Domain:DOMAIN Host:000-WIN10

        Signature: 00000000000000000000000000000000

        [Response to: 1309]

        [Time from request: 0.031240000 seconds]

    Session Setup Response (0x01)

        StructureSize: 0x0009

        Session Flags: 0x0000

        Blob Offset: 0x00000000

        Blob Length: 0

        Security Blob: <MISSING>: NO DATA


What is a replicated "constructed attribute"?

$
0
0

Hi,

As per the definition,  for a "Constructed Attribute" in AD, it's value is generated on the fly when a client requests for the same. But, some Constructed Attributes like tokenGroupsGlobalAndUniversal are replicated. Then, what does it mean if a Constructed Attribute is replicated?

Thanks,

Lokesh

Extending AD Schema with custom attributes

$
0
0

Hi,

Currently we have few custom attributes in Windows Server 2016 AD. Now we are trying to extend the AD schema to install MS Exchange 2016. Will it affect the current custom attributes in the ad when extending AD schema.

Regards

Irfan

Different AD and Exchange domain with same forest

$
0
0

Hi,

Root domain:  abc.com

Child domain 1 : abc1.com

Child domain 2 : abc2.com

Is it possible to keep the AD accounts in abc1.com and mailboxes of those accounts in abc2.com Exchange?

Thank you.

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>