Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

KCC could not add this Replica Link due to error

November 13, 2018, 10:11 am
$
0
0

In the process of migrating DCs to new hardware. I have 2 - Windows 2008R2 DCs on older servers, 1 - 2012R2 VM DC on HyperV, and 1 - Windows 2012R2 DC on a new server. All was working well for several weeks. Four days ago, after a network outage on the new DC I started getting replication errors. I noticed DNS on the new server was not populating and the server was in the wrong time zone - we don't use DST. I corrected the time zona, reset that machines password using - netdom resetpwd and rebooted. DNS is now working but replication is not. Ran DCDiag and everything passes except for:

From GoodDC02 to BadDC3
            Naming Context: DC=ourdomain,DC=com
            The replication generated an error (8453):
            Replication access was denied.
            The failure occurred at 2018-11-13 09:46:03.
            The last success occurred at 2018-11-09 09:59:37.
            98 failures have occurred since the last success.
            The machine account for the destination BadDC3.
            is not configured properly.
            Check the userAccountControl field.
            Kerberos Error.
            The machine account is not present, or does not match on the.
            destination, source or KDC servers.
            Verify domain partition of KDC is in sync with rest of enterprise.
            The tool repadmin/syncall can be used for this purpose.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source GoodDC02
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.

I can ping between all DCs using IP address, Name, or GUID. When I run repadmin /showreps all the other DCs are replicating but the BadDC3 shows "KCC could not add this Replica Link due to error" and "error 8453 Access was denied". I followed the ADSI edit articles and the BadDC3 has delegation, DNS is set the same as the other DCs, UserAccountControl shows 0X82000 (Server_Trust_Anchor|Trusted_For_Delegation) on all servers. AD Sites and Services I see 2 connectors between each domain controller - GoodDC01 connected to GoodDC03 and BadDC3, GoodDC02 connected to GoodDC03 and BadDC3, GoodDC03 connected to GoodDC01 and GoodDC02, except for BadDC3 which is connected to GoodDC01, GoodDC02, and GoodDC03. After two days I do not know what to look for?

Thoughts

eburch@lasertel.com

Search

Moving Azure AD Connect to new server

December 7, 2018, 12:33 pm
$
0
0

HI there, I'm having trouble finding Microsoft documentation on how to do this. We're decommissioning the last of our Server 2008 R2 DCs. It holds all of our FSMO roles. We've been moving to Server 2016 (although our domain functional level will only go up to Server 2012 R2). I've done a number of migrations of DCs in the past but can't find detailed steps on how to move Azure AD Connect and--existing settings--over to the new server once I decommission the old one.

The new DC will have the same IP as the old DC, but not the same name. I'll be moving the FSMO roles back to it.

When you run Azure AD Connect, there's an option to view current configuration, but from what I've read online, that's not a complete collection of the settings. There doesn't appear to be a feature to export all the settings and import them into the new server, for example.

We have a single domain in a single forest, currently running at a Server 2008 R2 functional level.

I didn't setup the existing connection and so at the moment don't have a lot of details on how it was configured, other than what is shown under 'view current configuration.' I do know we have a pretty basic setup. We're not using AD FS. We don't use Exchange. It's basically just doing a scheduled sync of our directory and that's it. This is for Office 365 and not Azure-based VMs--our Azure portal shows Federation, SSO, and pass-through authentication all disabled.

Also, when I run the Synchronization Service Manager utility and look under 'Connectors', there is a Sync_xxxxxx' account and password there that I understand is system generated. Does installing Azure AD Connect on the new DC automatically enter the account settings there as well?

Thanks in advance,

Syd


problem with the time

December 7, 2018, 1:01 pm
$
0
0

Hi 

I am using window server 2012 and I been facing time problem my clients sync with my DC and I had setup a gpo policy to force clients to sync time with DC now the always shows the time 10 - 20 minutes ahead . For DC I had setup NTP but why always it shows wrong time and DC is virtual machine .

All replies will be appreciated .

Thanks

Unable to modify SELF's SPNs and DNS

December 7, 2018, 2:50 pm
$
0
0

I'm using realmd v0.16.2-2 and sssd v1.13.4 on Ubuntu 16.04 to join a Linux server to an AD domain. It successfully creates the computer account, but then it can't modify some important attributes of it:

! Insufficient permissions to set encryption types on computer account: CN=foo,OU=bar,DC=EXAMPLE,DC=COM: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

! Couldn't set dNSHostName on computer account: CN=foo,OU=bar,DC=EXAMPLE,DC=COM: Constraint violation

! Couldn't set service principals on computer account CN=foo,OU=bar,DC=EXAMPLE,DC=COM: 0000200B: AtrErr: DSID-033E0E75, #1:
        0: 0000200B: DSID-033E0E75, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

I think I don't care about the first two errors; I'm just including them for completeness. The third is the problem.

I don't think this is a permissions problem. Looking in Active Directory Users and Computers, under effective permissions, I see that SELF has permission for validated write to SPNs. Also, the user account that I used to join the computer has those permissions. And if it were purely a permission problem, I'd expect something other than this obscure 033E0E75 error code. Does anybody know what that means?

adprep error adding windows 2016 DC

December 7, 2018, 10:06 pm
$
0
0

Hi people , i have a windows 2008 R2 domain and i want to add a windows 2016 domain controller.

Running the active directory domain services configuration wizard in 2016 box it fails with the following error:

Adprep encountered an LDAP error. 
Error code: 0x1. Server extended error code: 0x20ef, Server error message: 000020EF: SvcErr: DSID-02080615, problem 5012 (DIR_ERROR), data -1414

Checking the log file , the error appears executing this operation:

Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=54afcfb9-637a-4251-9f47-4d50e7021211,cn=Operations,cn=DomainUpdates,cn=System,DC=MyDomain,DC=corp.
[2018/12/07:18:12:56.569]
LDAP API ldap_search_s() finished, return code is 0x20 
[2018/12/07:18:12:56.569]
Adprep verified the state of operation cn=54afcfb9-637a-4251-9f47-4d50e7021211,cn=Operations,cn=DomainUpdates,cn=System,DC=MyDomain,DC=corp. 

[Status/Consequence]
The operation has not run or is not currently running. It will be run next.

Checking the CN of the error listed here https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/domain-wide-updates  , its listed on operation 79 "Created an access control entry for the TPM service" . Apparently i have no access to perform the updates. 

Im running the adprep manually on 2008 r2 box with same results, using run as admin, with the domain admin account.

Any ideas how to fix it?



TeKi

SMTP Server IP Address

July 15, 2015, 8:28 am
$
0
0
Where do I find the SMTP Server IP Address?

LDAP add fails with CONSTRAINT_VIOLATON instead of INSUFFICIENT_ACCESS or ACCESS_DENIED

December 6, 2018, 11:53 am
$
0
0

I have a network trace wherein Computer account add in an OU failed with CONSTRAINT VIOLATION error, but I am unable to figure out the constraint it's failing for

LDAPMessage addRequest(3) "cn=PHYSICSLAB934,OU=Other,OU=Lab,DC=HICCUPS,DC=COM"

#Attributes list
name: PHYSICSLAB934
sAMAccountName: PHYSICSLAB934$
userAccountControl: 4098
objectClass: top
objectClass: organizationalPerson
objectclass: user
objectClass: computer

The operation failed with error

LDAPMessage addResponse(3) constraintViolation (0000207C: AtrErr: DSID-031530E5, #1:	0: 0000207C: DSID-031530E5, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90001 (name))

I no longer have access the AD server so have to figure out what went wrong at that time. And wish to recreate the error on my test bed.

Where may I find the constraints for 'name' attribute ? And more details about the error codes ?

Any pointers/suggestions ?




DFL/FFL new forest

December 8, 2018, 5:05 am
$
0
0

Hi,

We are looking to promote new forest.

Can you tell me what's the recommended DFL/FFL?

If my first domain controller on Windows 2016 , should I choose Windows 2016?

Search

Cannot access Active Directory on Windows 2016 server

December 3, 2018, 1:47 pm
$
0
0

We installed a Windows Server 2016 standard on a network that had a failing Windows 2012 Small Business Server.  We made the new 2016 server a domain controller and a DNS server.  Our intention was to remove the 2012 server, reinstall the OS and add it back on as a 2nd domain controller.  Unfortunately, the server crashed shortly after we installed the new server and management decided not to do anything with it.

I've just noticed that we cannot access AD from our 2016 server.  It says it "can't find a domain controller" even though AD shows that it's running as well as DNS is running.  My initial investigation into this problem indicated that it may be a DNS issue and the server is not recognize itself as the DNS server (again, even though it's running).

I didn't want to remove the DNS role and re-add it until I investigated this further

I have never experienced this before when adding a server to a network and then taking the old one off line.

Any ideas on what caused this and how to correct it.  I can't access active directory on the server so I'm kind of "dead in the water" as far as AD management is concerned.

Thoughts???  jtingley@verizon.net

Cant Open User Profile

December 8, 2018, 8:40 pm
$
0
0

Dear all,

My colleague and i have domain admin privilege, on some domain computers when my colleague remote access a computer he couldn't open users profile on that computer, when i remote access the same computer, i can open user profiles,  i checked domain admins group is exists on local administrator group. I did add my colleague account in local administrator group as a workaround, then he could open user profiles. Im member of enterprise group and domain administrator group but hes not. What else can i do to fix this issue.

Thank you,

i configured the schedule to sync between domain controllers but its not working

November 29, 2018, 1:26 am
$
0
0

well the idea is to make one domain controller sync after 5 days ... so that if any thing gets wrong with the mains like virus or corruption we would still have one domain controller active that did not sync for 5 days

i went to trust and sites and edited the schedule to sync for 6 hours on one day but whenever i change anything in the active directory it changes on all other servers including the delayed one

did i get the schedule idea wrong ? is it for something else ? is there a missing step to make the idea work as expected .

EventAggregator for WAP messages received by SMS Router.

October 31, 2018, 6:52 am
$
0
0

Hi,

In our domain controller I can see the following error several times a day, I have tried searching the internet, but not found any suggestion to what it is...

Comments ?

/Regards Andreas

Active Directory serer is blocking Edge Browser and some updates.

December 7, 2018, 6:44 am
$
0
0

Hi all,

We are using AD server on Windows 2008 r2 OS, all the client systems are Windows 10 PC's. With this setup we are facing some issues.

1. Edge browser is not working (No internet connection on browser). 

2. It is blocking mcafee anti virus updates.

3.It is blocking Windows updates.

4.Office 365 activation and updates.

When ever i remove the client from AD all updates are working.

I found a solution from microsoft that to allow MSOIDCRL on proxy or firewall.

But, I have not blocked any of this services by my own. 

Please suggest the solution.

AD DC promotion process

December 9, 2018, 8:46 am
$
0
0

Hi Team,

What happens when we click on promote domai controller on server manager in backgrounds, I know it create NTDA then sysvol but any details information on process If available ?

thanks..

Instant Replication

December 9, 2018, 8:49 am
$
0
0

Hi team,

Is it wise to make cahnge in ADSI edit to enable instant replication between domain controllers ?

Thanks

Search

How to set password expiration notification for user launching directly RemoteApp

December 6, 2018, 11:49 am
$
0
0

Hello,

I want to know how to set the expiry notification for the users who launch the RemoteApp directly from user's desktop. Users are accessing RemoteApps through "RemoteApp and Desktop Connection" tool from their Workstation. If the user's password expires in 14 days they usually get the notification if they directly connect to the terminal server but since they only connect to RemoteApp from their desktops. how can they get expiry notification and is there a way to setup link to change the password while launching RemoteApp? 

Please let me know your thoughts

Shekar-Technet


ServiceTrusted for delegation

December 6, 2018, 4:13 am
$
0
0

Hello,

I have an application that want to use a specific protocol for authentication and I want to know the risk of using (Trust this user for delegation services to specified services only” and “Use any authentication protocol) with CSS service!




And if we have chosen (Trust this user for delegation services to specified services only” and “Use any authentication protocol) is that mean that all of the protocols will be allowed to use or just the ones that I have chosen in the services table?

Active Directory Web Services has resumed checking if the computer is a global catalog error

December 5, 2018, 6:29 am
$
0
0

HI,

I have two Domain Controller server 2016 that the second one is an additional DC. I'm getting the following error in additional dc :

Active Directory Web Services has resumed checking if the computer is a global catalog server.

Note that I'm not getting this error on primary domain controller and replication is occurring between domain controllers.  Any help would be appreciated. Thanks

Delegation tab is missing for user account in AD

December 5, 2018, 4:13 am
$
0
0

Hi All,

I have one of the service account in that delegation tab is missing. I've checked and found that SPN needs to be enabled for that account to get delegation features, but this account is not associated with SQL service and is it possible to create SPN for this account without specifying any service in that?

Thanks in advance.

vicky

Pwdlasset attribute changed after setting user account as password never expires

December 4, 2018, 10:45 pm
$
0
0

Hi Team,

Pwdlasset attribute changed after setting user account as password never expires.

Please help to understand why it is changed.

Regards,
Mahadev Nitture

Regards, Mahadev

Viewing all 31638 articles
Browse latest View live
Search