A computer at our office was logged off of, which isn't abnormal, however the person who tried logging in next typed in either a different directory/domain because now the receptionist can't login to her normal user profile (which is connected to our company domain and server). Also, she doesn't remember what the pathway was when she typically logged in saying she never paid attention to it, but would just enter her password.
Does anyone know how to figure this out?
I am migrating from OpenLDAP to Active Directory. I was wondering if there is a commandline command (in windows commandprompt, not powershell) to add Attributes to the Active Directory Schema.
I can at the moment only add attributes through the Active Directory Schema snap in in mmc /a but as I have a lot of attributes I'm searching for a commandline solution.
Hi,
Is there any software solution for simulating time and date movement in Active Directory environment.
I'm aware of Time Machine but it don't seems to work properly.
We would need to be able to change to any time and date on our DC and servers without authentication or services crash issues afterward.
Hi,
I was sent here from the Exchange forums.
The original thread is: http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/ea798a34-d009-4158-a50d-05b494e8c718/
It would be great if someone could take a look at this very weird issue and point me into the right direction or suggest some way to debug that.
Thanks for reading!
I have 2 fresh installs of windows server 2012. One has the DC role, the other one is domain member + exchange.
The active directory was just setup in order to be able to install exchange, so nothing was configured manually apart from the installation process.
All user accounts in active directory have been created by exchange in the process of adding new mailboxes.
The weird thing is that local user accounts have no problems setting up an Outlook profile for Exchange, while domain accounts are struggling.
Even more weird is that the very first domain user account logging in per workstation is able to complete setup outlook -> exchange.
Once this is done and the user logged out, noone else logging in on that workstation is able to setup an (the first) outlook profile for Exchange anymore.
After the autodiscover process (the second checkmark) succeeds, when Outlook uses the username (=primary smtp address) + password for the first time to complete the setup of the profile an error appears: "Theconnection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action."
I've tried that with 3 different, freshly installed Windows XP SP3 Clients.
I used a different user account when logging in for the first time after domain join on either of them. All of these accounts were able to complete the Outlook setup wizard. While the next account on the same workstations wasn't able to.
It's like that: 3 accounts: user1,user2,user3 and workstation1,2,3
User1 -> workstation 1 --> success (first user account to login on that workstation)
User2 -> workstation 1 --> fail (second user account to login on that workstation)
User2 -> workstation 2 --> success (first user account to login on that workstation)
User1 -> workstation 2 --> fail
User3 -> workstation 3 --> success
User3 -> workstation 2 & workstation 1 --> fail
etc, etc.
When user 2 on workstation 1 failed, I logged out and back again with User1 to check whether it still worked and yes, everything was fine.
Then I noticed that only Windows XP was affected by that issue.Windows 7 clients have no problems.
I would have thought about a certificate common/alternative name problem, but as mentioned earlier local user accounts don't have those problems. Also user accounts in an old nt4 domain don't have those problems.
After 1 week of trial and error I discovered that sometimes there was an exception and another user account was able to setup an outlook profile. This is however hard to reproduce and definitely not linked to certain accounts. It's kinda random. Could this be a problem with some kind of time out/session/machine&user?
Does anyone have any idea what could be the cause of that or where to start looking?
Thank you very much for any help! this really is driving me crazy ;)
We have a remote site with two 2008 R2 Domain Controllers - well, actually, it's now down to only one. This morning, the second DC up and died. As such, there was no opportunity to politely remove it from the domain. Further, there were no backups being taken of this domain controller (please don't judge), so we have nothing to go back to.
We would, however, like to have two domain controllers at this remote site, and the topic of "next steps" came up. We've been researching the steps for cleaning up old DC information from Active Directory, but that process seems to suggest that we're trying to get rid of something long gone. Since we want to get a second DC back in the mix, can we simply stand up a new server with the same name without freaking out Active Directory? The standing theory is that the new machine information (SID) will overwrite the old information when joined to the domain and subsequently promoted to DC status.
Of course, since this has not been tested, it's all just theory. The DC wasn't doing anything special other than being a global catalog server and hosting DNS.
Anyone have any thoughts on this? Do we need to do the cleanup even though we plan on introducing the same server back into the mix (albeit a *new* server).
Thanks in advance for everyone's time.
-Todd
I plan on moving a 2008 R2 domain controller to another site that is connected back to me over a VPN connection (WAN link). There will be communication that is, hence replication between all DCs should occur. But the other site is of a different network.
Some people have advised against changing the IPs of domain controllers too often. Is there a reason for this?
Is it better to just build a brand new DC at the other site instead? Why or why not?
I have a lab configured with a single domain controller and one client server. Both servers are Windows Server 2008 R2 Standard and the functional level of the domain is Windows Server 2008 R2. After I promoted the domain controller, I did not make any changes to the default domain policy GPO. My problem is this: I created a Managed Service Account and a regular user account and tried to use both of these accounts as logon accounts for the "Disk Defragmenter" service on my client server and domain controller. Each time it failed with the following error:
In the system event log:
I also tried moving the client server into a custom OU and blocked inheritance of all parent GPOs, but this did not work either...same error.
I'm assuming the problem lies with the Default Domain group policy and Default Domain Controllers group policy, I'm just not sure which setting. I'm at a complete loss, so any help is greatly appreciated.
jason
I have two a Server 2008 R2 Domain Controllers. CrDC was the primary DC until yesterday when I transferred the FSMO roles to OuDC (my other DC). While attempting to demote CrDC. I Get the following error:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=mydomain,DC=local to
Active Directory Domain Controller \\OuDC.domain.local.
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
-AND-
Remote directory server:
\\OuDC.domain1.local
This is preventing removal of this directory server.
User Action
Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.
Additional Data
Error value:
5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
Extended error value:
0
Internal ID:
52498735
I have ran all of the NDTSUTIL fixes and I believe that I have come to the root of the problem but I’m not positive and I don’t know how to fix it. We used to have and Windows Server 2003 Domain Controller named TIGER and I believe that it was not demotedcorrectly more than a year ago because I keep getting the following error and I believe it may have to do with this (Please notice: CN=TIGER):
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=mydomain,DC=local
FSMO Server DN: CN=NTDS Settings\0ADEL:bab2a84f-a8da-44c7-a3db-be79abf0f2c9,CN=TIGER\0ADEL:ea6e167e-72df-49ab-b521-6ab1ef4c9657,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain1.DC=local
User Action:
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
Any help will be greatly appreciated!
after the network between 2 DC was down for a long time I got Event ID:13508 in both DC's
both are running win 2008 R2
in child DC also Event ID 13562 is appear
Hello,
I want to establish an external/Forest Trust between two forest AD.
1/ Forest A: (W2k8) domaineA.local
2/ Forest B: (W2k3) domaineb
Forest A doesn't resolve the FQDN Forest B (domaineB) but the Forest B do resolve the Forest A (DomaineA.local). Then, i configured the conditional Forwarder on the Forest A but it still doesn't resolve the Forest B.
nslookup -type=any domaineB
Server: localhost
Address: 127.0.0.1
*** localhost can't find domaineb: Non-existent domain
nslookup -type=any boisb @IP1
Server: CD.domaineb
Address: @IP1
*** CD.domaineb can't find domaineb: Non-existent domain
Is it becausethe FQDN domaineb is the same as netbiosDomainB ? if yes, how we can manage this ?
We've taken on a site with a 2008 R2 server with what appears to be a corrupt OU in AD, and I'm looking for any advice on how to remove the OU.
When attempting to open the OU in ADUC an error message is displayed stating "Data from Users is not available from Domain Controller xxx because: An operations error occured." (the corrupt OU is named 'Users').
Attempting to open the OU in ASDI Edit, an error message is displayed stating "Operation failed. Error code: 0x80072020 An operations error occured.
Attempting to delete the OU in ASDI Edit displayes the error message: "Operation failed. Error code: 0x20ef The directory service encountered an unknown failure. 000020EF: SvcErr: DSID-02080F91, problem 5012 (Dir_ERROR), data -1017"
Also on this server, on attempting to open GPMC a message is displayed stating "The system cannot open the device or file specified.", and this is reapeated when attempting to view any GPO. In the Settings tab for every GPO is displayed "An
error occurred while generating report: An operations error occured."
GP Settings can be viewed in the GP Editor.
Everything else appears to be working OK, there are no warning or critical events in the System or Application event logs.
This is the only DC in the domain, and there were no backups being taken so fix by restore is not possible.
The Directory Service log has repeated 2008 and 1262 events as shown below:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 26/03/2013 14:38:36
Event ID: 1262
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SRV-01.Cxxx.local
Description:
The security descriptor propagation task could not process a propagation event starting from the following container.
Container:
OU=Users,OU=_Cxx xxx,DC=Cxxxx,DC=local
As a result, the security descriptor propagation task will either suspend processing for thirty minutes or wait until a security descriptor has changed for any object.
User Action
Check the security descriptor on this container.
Additional Data
Error value:
fffffc07 []
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">1262</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2013-03-26T14:38:36.489263200Z" />
<EventRecordID>9392</EventRecordID>
<Correlation />
<Execution ProcessID="644" ThreadID="856" />
<Channel>Directory Service</Channel>
<Computer>SRV-01.Cxxx.local</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>fffffc07</Data>
<Data>OU=Users,OU=_Cxx xxx,DC=Cxxx,DC=local</Data>
<Data>[]</Data>
</EventData>
</Event>
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 26/03/2013 14:38:36
Event ID: 2008
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: N/A
Computer: SRV-01.Cxxx.local
Description:
Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected.
Object:
(n/a)
Additional Data
Error value:
-1017 JET_errRecordDeleted, Record has been deleted
Internal ID:
20801d4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2008</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2013-03-26T14:38:36.426863100Z" />
<EventRecordID>9391</EventRecordID>
<Correlation />
<Execution ProcessID="644" ThreadID="856" />
<Channel>Directory Service</Channel>
<Computer>SRV-01.Cxxx.local</Computer>
<Security />
</System>
<EventData>
<Data>-1017</Data>
<Data>JET_errRecordDeleted, Record has been deleted</Data>
<Data>20801d4</Data>
<Data>(n/a)</Data>
</EventData>
</Event>
The event is triggered every few seconds. Pre-authentication failed is not clear. It doesn't say bad password, but the account keeps locking.
4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Mar 26 05:46:05 2013,No User,Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-1614895754-515967899-1801674531-1163 Account Name: smithj Service Information: Service Name: krbtgt/domain.local Network Information: Client Address: ::ffff:192.168.20.111 Client Port: 61196 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.The IP address is to a webmail server. The user says they have turned off everything that is checking mail.
I don't know why I don't see any events that say "unknown user name or bad password", yet the account locks anyway.
Hello, I'm preparing for the 70-640 exam. In attempting to redirect the default domain computer OU, I entered the command redircmp "CN=CLIENTS,DC=contoso,CD=com". I get the error -unable to modify the wellKnownObjects attribute. Verify that the domain functional level of the domain is at least windows Server 2003.
I have verified that the forest and domain functional level are 2008 R2.
I cannot find any suggestions in any threads other than removing "protected from deletion" check box in objects tab of advanced view properties of the target OU (this does not fix the error in my case). Any other suggestions?
hello
there is a warning on my Server 2008R2 in the event viewer, how bad is this warning and how do i solve this ? Do i need to fix this before
i proceed with transfer FSMO?.
Hi
I'm going to set up a one way domain trust. Scenation:
Domain A (Forest A):
Domain B (Forest B):
Preferable is to use kerberos authentication.
I want User A on Server A to be able to access resources onServer B. For that I have a question:
I'm suspecting that direct access from Server B to Domain A DCs is required for kerberos authentication, but maybe not for NTLM?
I haven't been able to find articles describing what servers and DCs that need to communicate in a setup like this, but mostly found articles on intra forest setups.
Any help is appreciated. Thanks
Regards
Michael
Hello,
Does anyone know what warning is this? how can i solve this or can i just disable this service? I am receiving this warning continuously on my Server 2008R2. Thanks.