We have a domain for the school I work for that has our main operations master (HS-DC2), and 4 global catalog DCs all on the same domain.  On our oper master, we cannot create / copy a new user because it gives the following error:

Windows Cannow set the password for (user) becaues:
The specified directory object is not bound to a remote resource

you click ok, then it pops up with:

Windows cannot remove the newly created object automatically.
Remove it manually or contact your system administrator.

The object is not created, it's not there...i'm lost.  THEN, i can connect to another domain controller in our network and create the account / copy another account and it works perfect.  NO problems whatsoever, and then it replicates back to the operations master just fine.

I'm at a loss and need some help. 

Thoughts?

Thanks in advance!

We have several domain users (non admins) who, using a VISIO template, could actually enumerate users, machines, and OUs from AD!  How is this possible? From a security perspective I thought that only Domain Admins would have this capability.

TIA,

edm2

P.S. We are at Windows Server 2008 R2 domain functional level.

Hello good people!

First I would like to say I already have tried searching the forums, but I have not been able to find the precise topic and Windows Server 2012.

Second I know what I want to do, and the computers are in a closed environment.

The problem is that when I add computers to the domain.local, they lock the screen after 10-15 minutes. I want to entirely remove this policy, so the computers do not lock unless they are locked actively.

I have a general idea what I'm supposed to do, but I simple can't find the locations where this should be edited in Active Directory?

Best regards

Peter

My question would be if raising domainfunctionality and forest would haveany problema or should we expect some strange behavior,we have 2 DomainController2003 and we wuld like to raisethe same functionality and forestto 2003 in 2000 are now mixed.

The question comes on the side that we have Linux computers that autenticate usersusing NTLM and Kerberos protocols as well as amember server in NT file serverfunctionality has also client applicationsare compiled. NET 2.0 and 1.1 these do not have directly with domain authentication.

The question is if I can upload functionalityand the domain of the forest to Windows2003 and stay calm, knowing that I will not affect the operation and no major changes to the network level,talking aboutKerberos and NTLM protocols and applicationsused. NET

Well I wait your response and help.

Best regards,

Roque.    

Hi,

Im trying to configure the Server 2008 DC with the PDC role for my clients site to talk to an external time source to get it's time. The domain time hierarchy is working fine and all servers and clients are correctly in sync. But the PDC won't get its time from an external source.

It's a physical server so im not battling with Hyper-V or ESX time sync.

So far I've done this

Set the Announceflags to 5 here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

Set the enabled value to 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer

Have added the NTP Server value to ”ntp-galway.hea.net,0x1 ntp2.ja.net,0x1" in  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Started and stoped the time service.

Then when I run w32tm /query /source I get local cmos clock back and the time isn't the correct one.

I've also tried this

w32tm /stripchart /computer:ntp-galway.hea.net /samples:5 /dataonly

which comes back with the correct time, and tells me mine is 50 seconds out.

I then run this

w32tm.exe /config /manualpeerlist:"ntp-galway.hea.net" /syncfromflags:manual /reliable:yes /update

start and stop the time service and then re-query and get exactly the same.

any ideas?

Denis Cooper MCITP EA - MCT

Hello,

I'm studying for the 70-640 exam and while practicing in my lab environment I performed an offline defragmentation of the Active Directory-database. Seeing as this is a test-environment, the file size of NTDS.dit wasn't that big to begin with - only around 20MB, so my expectations wasn't through the roof to begin with. However, after performing the offline defragmentation using the following method, the file size of NTDS.dit ended up at 34MB.

The offline defragmentation was performed in the following manner, as described in the following Technet-article: http://technet.microsoft.com/en-us/library/cc794920(v=ws.10).aspx

net stop ntds (Which also stops all dependent services)

ntdsutil

activate instance ntds

files

compact to c:\temp

Exit out of ntdsutil and backup the old ntds.dit-file

del d:\ntds\*.log

copy c:\temp\ntds.dit e:\ntds\ntds.dit (Database-files and log-files are stored on separate drives)

ntdsutil

activate instance ntds

files

integrity

Exit out of ntdsutil

net start ntds

So my questions are:

Am I doing something wrong, or is there a minimum size where a defragmentation is feasible?

Any ways to easily inflate the file size to verify that I'm doing the procedure correctly with the expected result?

Thanks!

Andreas

Hello,

I am in the early stages of migrating a windows 2003 single label domain to a 2008 level FQDN. We currently have exchange 2007 and Sharepoint 2007 installed. Any advice on steps to take would be appreciated. I'm not sure whether to just concentrate on SLD to FQDN, and then 2003 to 2008, or attempt to do that in the same migration period. Also, how exchange and WSS fit into all of this.

Hi,

I have a forest with a single domain/site W2008R2 functional level. The first DC was built without an issue. I have recently added a second domain controller to the domain, and this has caused the first to fail (although the second seems to be filling the gap for the moment).

The second domain controller was added using dcpromo, using the option to add a domain controller to an existing domain. Both the DNS and Global Catalog roles were added. The replication appeared to succeed without any issues.

The other bit of information that may be useful, is that dcpromo did say that it was unable to find any DNS servers authorititative for the domain when adding the second DC. I checked dcpromoui.log, and it seemed to have queried the SOA record correctly, so wasn't sure what was causing the warning. In any case, the DNS replication between the two was successful.

The initial symptom I've noticed is that the first domain controller's LAN interface has switched from the "Domain" profile, to the "Private" profile. For some reason it no longer thinks that interface is connected to the domain.

DNS servers on dc01 is set to 127.0.0.1 / Blank
DNS servers on dc02 is set to dc01 IP / 127.0.0.1

I'm currently doing further investigation, so will post information as I find it. Any help greatly appreciated.

I have a parent child domain. Connections between the parent and child are all open. All ports are check and communication is connectable.

I know there is a replication issue. And now there is a trust issue. I tried to reset trust passwords.I tried to validate the trust but after entering credentials for both domains I get a "The Parameter is incorrect" And "Trust Cannot be repaired because: The Parameter is incorrect"

This message comes up also. 

"The secure channel (SC) reset on domain controller \\dc1.domain.com of domain domain.com to domain dc2.Child.domain.com failed with error: There are currently no logon servers available to service the logon request.

The secure channel (SC) verification on domain controller \\dc2.Child.domain.com of domain dc2.Child.domain.com to domain domain.com failed with error: The specified network password is not correct.

The secure channel (SC) reset on domain controller \\dc2.Child.domain.com of domain Child.domain.com to domain domain.com failed with error: Access is denied."

Also this error came up recently

LSASRV Event ID 40960

I know how this is suppose to work, but does not seem to be working properly.  I have a disabled user who has a LastLogon of 3/4/2013, and the LastLogonTimeStamp is still older at 2/23/2013.  What should I check? Is my msDS-LogonTimeSyncInterval possibly off?  Can non-interactive logons(webmail using adfs) cause this problem?

Thanks,

Dan

Dan Heim

I currently am unable to connect to a DC from outside of our internal network from another DC. I checked our router settings and the Remote desktop is enabled on it. I also checked the firewall. Could ADDS sites and services be the issue? Meaning do I need to make some sort of connection to other servers in the forest to allow me to connect to it using it's DNS name(this is what I would like to happen)

I am a newbie to this, so any info. would be greatly appreciated.

Thanks

Hi all,

We have had this same issue now with two of our Hyper-V host servers.  The The symptoms are that when RDPing to the machine it asks for credentials, but then throws the error :
Remote Desktop Connection
---------------------------
Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer. Make sure your computer’s clock is set to the correct time, and then try connecting again. If the problem occurs again, contact your network administrator or the owner of the remote computer.
---------------------------
When you try connecting via the Hyper-V manager, you get the error "RPC Server unavailable.  Unable to establish communications bettween ..."

I can connect all of the other remote tools to it (event viewer, server manager, services) and can see the following:

In the event viewer there are a multitude of errors, I'm guessing all with the same root cause:

GPO

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:

a) Name Resolution failure on the current domain controller.

b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

DCOM

DCOM was unable to communicate with the computer <DPM Backup server> using any of the configured protocols.

NETLOGON - Looks like the worst and maybe root cause?

This computer was not able to set up a secure session with a domain controller in domain D01 due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

I can see that the service "Remote Procedure Call (RPC)" is started.  Restarting it makes no difference.  The RPC Locator service isnt started, but don't think this is an issue.

The DNS servers that are configured are the DCs and there are certainly fine for all our other servers and clients.  The time is indeed out of sync, but I think this is more because it cannot establish a session with the DCs, which are the NTP servers.  All of the guest machines are fine and running perfectly.

Like I said at the start, this has happened to another of our servers, suggesting that this is maybe a wider AD issue.  In the case of the first server, a restart solved the symptoms.  However, this second server is a bit more of a pain to restart and I want to sort out the root cause.

thanks in advance.

Hi,

I have aServer 2008 AD used for our Exchange 2007 installation. I have 6500 users in 25 separate organizations in this AD with each organization in a separate OU.

I would like to push these AD accounts out into the separate organizations for use as the domain login on the local user machines.

Right now each organization has their own local AD domain. I want to allow the users in each organization to use their email username and password for login to their desktop workstations.

I can see this working if each organization points their computers to my domain controllers for authentication. My first concern is that if a user travels to another organization they would be able to use their login to gain access to a local workstation
that they should not necessarily have access to.

My first general level question become: Is it possible to have many separate organizations login to the same AD domain but be limited in the locations by some AD policy?

This question seems more confusing than I feel it really is. Please ask any questions needed for clarification.

Thanks,

Dale

Hi all.

After joining successfully a computer to the domain, I get the above error.

Does anyone know this specific error - "A directory service has occurred"?

I found out that unbinding or disabling IPv6 make this error message disappear.

I saw that there a lot of theards on this issue, but I didn't see any on this specific error.

About 6 months ago, I travelled to a remote office where we had issues with machines falling out of the domain, more regularly then at our headquarters.  I decided to deploy a RODC at this site, hoping to alleviate the issue.  Since this deployment, every machine on that site now generates EventIDs for NETLOGON 5805/5723, but these machines are still in the domain.  I can remote to them, I see them as authenticated machines, and they act as if they are joined.  This error is only reported on the RODC. 

Perhaps I've done something wrong in setting up the RODC, such as the PRP is incorrect or the accounts that joined the machine to the domain are not setup properly for a RODC.  On the RODC, I hit properties and went to Password Replication Policy->Advanced, and I do see all the machines in the "Accounts that been authenticated to this Read-only Domain Controller".  The "Accounts whose passwords are stored o nthis Read-only domain controller" are only the krbtgt_xxxxx, and the RODC itself.  On the PRP tab of the RODC Properties, I see Allowed RODC Password Replication group as the only "allowed" group.

I am not sure what is occurring here, but these are Windows 2008 R2 servers reporting to this Windows 2008 R2 RODC, so the compatbility pack does not apply(I believe).  Is there some sort of delegation responsbilities I need to assign to the RODC?

Thanks all,

Hi,

I've done a lot of reading here already but I'm on a dead end. Here's my scenario:

I have 1 Stand-alone root CA plus 2 Enterprise issuing CA's, all running Windows Server 2003. I'm trying to move all servers to a new OS platform: Server 2008 R2. The way I'm seeing this is I have to migrate the Root CA first, then all issuing CA's, so my first question is:

1. Is this correct?

I followed this procedure: http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx. At "To set up a CA on a computer running Windows Server 2008" I specified the backup I made earlier and specified the private key from the 2003 stand-alone root CA. After the wizard finishes, I am able to succesfully start the CA on the 2008 server. Next chapter is "Restoring the database and configuration on the target computer". It prompts to shut down the CA service, which I allow, it restores the DB (which I point to as part of the wizard), when it finishes restoring, it prompts to start the CA service again. This is where the headache starts; it throws an ADCS error "0xc8000220 (ESE: -544)" and it fails to start.

The application log on the target server throws the following errors (in chronological order) :

[source: ESENT - EventID: 916] certsrv.exe attempted to attach database 'C:\windows\system32\certlog\<CANAME> but it is a database restored from a backup set on which hard recovery was not started or did not complete successfully'

[source: CertificationAuthority - EventID: 17] "Active Directory Certificate Services did not start: Unable to initialize the database connection for <CANAME>. Error: 0xc8000220 (ESE: -544).

I have no idea as to what this means so my next Obvious question would be:

2. Please advice in my next step?

Cheers!

Check out my blog you-n-it.net

Hello,

I have the following issue, i don't understand why the display name of the nested group is not refresh:

same forest / not parent-child domain

DomainA has two DC: DCa1 and DCa2-GC;  (DCa1 has all fsmio)

DomainB has two DC: DCb1 and DCb2-GC; (DCb1 has all fsmio)

in DomainA, i have a domain local security group DLG_A,

in DomainB, i have a global security group GG_B

GG_B is a member of DLG_A.

If I rename GG_B in GG_B1, the information is correct on GC in domainA but not in DC in domainA.

I have checked replication ->, it's ok

i have checked object metadata (repadmin /showobjmeta <guid=id>) all information are correctly replicated

Where am i wrong ?

Thank you, 

Sorry for my english ;) it's not my mother tongue...

I have a list of Display Names that need to be converted to Active Directory User Names.  The list is in a CSV format and looks like this:

"White, Charles"
"Henry, Marcus"
"Farrior, Anthony"
"Basis, Ian"
"Heenan, Michael"
"Anderson, Anthony"

I can open in Excel and convert to almost any format.  I was thinking maybe PowerShell or something like that but am willing to use anything.

Thanks in advance.

I have often seen folks looking for code snippets to extract ACL's from AD.  I have recently uploaded an example that can traverse from a defined point.  Code is located in the Script Repository.

http://gallery.technet.microsoft.com/scriptcenter/DUMP-ACLs-From-an-OU-8e2da85c