Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Error Message while renaming the AD domain "Failed to delete rename script on the DN"

April 16, 2019, 10:49 am
$
0
0
Hi, 

I am trying to do the domain renaming. I am not able to finalize the domain renaming. When i executed the rendom /end i got this error message

Failed to delete rename script on the DN: CN=Partitions,CN=Configuration,DC=almo
hanna on host SRV10.almohanna.sa.
00002077: SvcErr: DSID-030F0EBF, problem 5003 (WILL_NOT_PERFORM), data 0
: Cannot complete this function. :1003
Search

Non-Transitive trusts

March 23, 2019, 12:55 pm
$
0
0

Can I setup a non-transitive trust between root domains within the same forest?

I have 5 domains within a forest. They are not child domains. All root domains.

I want to create a two way trust between:

Domain A and Domain B
Domain A and Domain C
Domain A and Domain D
Domain A and Domain E

I don't want Domains B, C, D or E to have any trusts between them though.

Is that possible?

 

active directory error "-2147016645" occured when looking for global catalogs in forest "domain_name.co.uk": "A local error has occrred"

April 12, 2019, 10:13 pm
$
0
0

We are doing windows patching in skype for business servers, when I have done the fail over it was normal, as soon as I was doing Failback this kind of errors occurred

PLease HELP !

Problems with SID history between domains in forest trust

April 11, 2019, 7:40 am
$
0
0

Hi everybody.

I've got a problem while migrating my domain ressources to another one.

Source domain is A.local (Windows 2008 R2). Target is B.com (Windows 2016).
There is a trust between the two forests, bidirectional and transitive. 

I use ADMT to migrate users and groups. While migrating these objects, I check the "Migrate SID History" button. 
Before that, I have desactivated the SID filtering between my forests with this command : 

- from the source domain : Netdom trust A.local /domain:B.com /enablesidhistory:yes /usero:administrator /passwordo:*

- from the target domain : Netdom trust B.com /domain:A.local /enablesidhistory:yes /usero:administrator /passwordo:*

When I try to access a share from the target domain, with a user who have share and security permissions, there is an error. I cannot access. 
If I modifiy the share settings to allow access to everyone in the source domain, access is ok for my user in the target domain.

And more, If on my source domain share, I put share permissions to the target user (or group), it's not working. If I do the same thing in the target domain, putting share permissions to the source user, everything is working fine. 

I've disabled / enabled SID history and SID filtering, nothing changed. Same things after broke and new creation of the trust.

I have checked the user account in the target domain, the SID history is correctly written in the users attributes.

No firewall or AV software on any DC. 

Does someone have an idea?  

Can you reset/modify/unlock same members of account operators?

April 10, 2019, 10:44 pm
$
0
0

Hi,

we have a helpdesk team that is under Account Operators group. They can unlock/reset password of users on different OU group, but cannot unlock users belonging on same group. Is this because, account operators is a built in group??

Restoring a demoted DC from backups from before the demotion

April 10, 2019, 7:16 am
$
0
0

Hello!

Im finding mysellf in a bit of a hassle. A customer had a DC running 2008 R2,  IIS server and a bunch of SQL instances, and File servr with 3+ tb of data and Print-servers and a bunch of licensing software for CAD-software running on one server.

Early on i noticed that the AD-DS role where acting up on the machine. with users connected to this server would not get GPO:s distributed nor the right permissions in the domain.

So we decided to split the server into several new ones, and then finally demote the server and remove it.

But due to the pure number of things they had running on this machine, we appear to have missed a few things. However this came to light first after we preformed the DCPROMO demote.

The issue seemes to be that several softwares where installed with local accounts that aren't available anymore. Among these is an accounting-software that we where told, wherew not used anymore. However turns out they still need it.

So my question here is, can i restore the server from backups to its pre-demote state? My gut feeling says that this is a bad idea. However, is it posible to  restore the VM from backups to a new host. Disconnect the network. Start it up, and stop replication to the remaining DCs in the domain?

if this is the case, My plan is to keep the machine running and have users access the web-gui for the software

The "original" machine is also still not fully closed due to remaining files waiting to be moved.f

Thankfull for any input on this!

Event ID 4 with replication and authentication failures

April 10, 2019, 3:02 am
$
0
0

We have a Windows Server 2012R2 domain controller which generates the error below when attempting to connect to a working domain controller in AD:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was ldap/server.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.LOCAL) is different from the client domain (domain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Site replication is configured to a domain controller which generates the above error when it tries to establish a connection. This is resulting in replication not succeeding. The DC can connect to certain other DCs and not to others.

Repadmin /showreps generates:

******* 1 CONSECUTIVE FAILURES
Last error: 1396 (0x574):
            The target account name is incorrect.

Naming Context: DC=DomainDnsZones,DC=domain,DC=local
******* WARNING: KCC could not add this REPLICA LINK due to error.

This is also resulting in file share authentication failures to a second trusted domain.

Primary domain authentication for users is successful.

I've reset the faulty DC's computer account by running:

net stop kdc
klist purge
netdom resetpwd /server:workingDC.domain.local /userD:domain.local\DomainAdministrator/passwordD:*
net start kdc

That made no difference. 

I also started to build a second domain controller for the site, but when selecting the DC to replicate with during the promotion phase, the same errors appear as above, which led me to believe having a second DC wouldn't make a difference.

Any tips would be appreciated :/

managed by

April 16, 2019, 11:26 pm
$
0
0

HI

we have an scenario that every user just login to only one PC

user1 computer 1

user2 computer2

1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user

2-when set managed by for computer that never work .

how can i doing this ?

Thank you in advance

Search

Expire a certificate on a single computer

April 15, 2019, 6:34 pm
$
0
0

Hello,

We have enrolled a certificate to a group of computers. Now we want to expire the same certificate on a computer to test an application functionality. How can I expire the certificate?

Thank you

DSGetSiteName failed: Status = 1919 0x77f ERROR_NO_SITENAME

October 13, 2010, 1:47 am
$
0
0

I have a large network with 100's of subnets.  Currently within AD Sites and Services the Default-First-Site-Name is the only site configured without any subnets added, so in simple terms it is a default out of the box configuration.

A colleague wanted to test site aware group policies, so I configured a site based on his own subnet.  My computer is a member of a different subnet on running nltest /dsgetsite from a command prompt I receive

 DSGetSiteName failed: Status = 1919 0x77f ERROR_NO_SITENAME

So it looks like once you start specifying subnets in AD Sites and Services you have to add all the other subnets that you have on your network or AD will consider that you only have the subnets you have configured.  Am I correct?

thanks.

 

Need LDIF file for the following information - Need to create attribute "NTLMID" in existing user class

April 16, 2019, 11:45 pm
$
0
0

Please help me to get  LDIF file with the following details

Class : user  ( Existing Class)

Attribute name I want to create is : NTLMID ( This is new attribute )

Domain Details :

dn: CN=NTLMID,CN=Schema,CN=Configuration,DC=infra,DC=jivehosted,DC=com

Thanks, Ram Ch

SSO from remote as user from child domain?

April 11, 2019, 11:30 pm
$
0
0

I have an application that uses windows authentication. We created several child domains for each department and one root domain.

For example:

                   company.com

                      /           \

dep1.company.com   dep2.company.com

Each department has an own subnet and domain controller. The users did not actually join the domain. The computers are already in another domain from an independent organisazion and they only need to login to the application with the logins provided by us from the corresponding child domain.
This looks something like this:

Sorry, can't add an image.
(https://social.technet.microsoft.com/Forums/getfile/1427308)

The remote user (user@contoso.com) has the credentials stored in the access credential manager in order to make SSO possible.

What I suspect is that the sql server can't find the user@dep1.comany.com account in the child domain. At least SQL shows en error in the event viewer:

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.  [CLIENT: <named pipe>]

I double checked that every account is existing, the account has not been locked and neither needs the password to be changed.

There are transitive trusts between the toor domain and all child domains and one between the app.company.com and dep1.company.com
I tried adding a foreign security principal
Added an alias in the SQL Native Client 11.0 Configuration
Added an ODBC Bridge client side
Altered the "Access this computer from the network" in the secpol.msc
Both server and application server have permission to delegate (AD -> Computer objects -> Delegation)

I found a lot online but nothing has worked for me. I am a lost sysadmin and have reached google page 2.
Any help is much appreciated.

Authentication between two untrust domain

April 17, 2019, 12:05 am
$
0
0

I have one client which has two sites

Because of regulatory rules they cant create vpn connection between two sites either site to site or vpn client

They wan to access to some services such as sharepoint which is hosted in site A (data center) from site B (Enterprise which is users are there) with Users of Active Directory domain in Site B

Is there any way (maybe active directory federation services) to achieve this goal ?

Regards,

DNS?

April 17, 2019, 1:19 am
$
0
0

Hi All,

We are having various incidents recently during our migration to a different domain.

Presently we have a European and Global Domain. The European will be joining Global. New AD Servers have been built on the Global Domain there are no replication issues. When we attempt to discover machines using the Quest tool we get RPC errors on some machines.

We have a two way trust relationship and we have Disabled SID filtering.

My question - on the Domain Controllers (global) where should the DNS server IP address entries be pointing to? At the moment I have the preferred pointing to the DC servers in global and Alternate pointing to Europe. I am wondering if this is correctly set up?

Regards.

  

Windows Server 2016 CertSrv not created and missing

February 14, 2017, 2:58 pm
$
0
0

Hallo,

I have a problem on a Windows 2016 DC. I installed the IIS and after this the PKI and the rolls: Web Enrollment service and Network Device Enrollment Service.

The CA installed without any error, also the Network Device Enrollment service. The Web Enrollment Service was installed and configured but the virtual directory CertSrv is missing under the IIS. The Network Enrollment service works, but the Web Enrollment doesn't because the virtual directory is missing. The IIS shows only under the Default Website the "CertEnroll" but no CertSRV entry.

I tried this now 2 times install/deinstall, but the virtual directory was not installed. Is this a bug in Server 2016 and how do manually create the virtual "CertSRV" dir.

The util certutil -vroot will not work. If I run the tool the output looks like: virtual directory exists ..... The tool runs for 100% successfully.

Any idear what I can do?

Search

AADConnect User & Resource Forest Sync

April 16, 2019, 5:20 am
$
0
0

User Forest: users.com (1000 enabled users)

Resource Forrest: resources.com (200 enabled users, 800 linked mailboxes)

I need to sync (and merge) to Azure AD for Office 365.

AADConnect Import Rules Precedence should be:

P1: User Join (users.com) - source of authority
P2: User Join (resources.com)
P3: User Exchange (resources.com) - contains correct Exchange attributes
P4: User Exchange (users.com)

I need to also ensure Mail and Proxy attributes only come from Resource forest and aren't overwritten.

1. Can I simply set:

P5: User Common (resources.com)
P6: User Common (users.com)


My concern here is that UPN would come from resources.com instead of users.com (it is a User Common attribute).

2. Or do I simply remove the Mail and Proxy Attributes from User Common (users.com).

GPO ntfs permission replicating problem

April 17, 2019, 4:43 am
$
0
0
I am having issues where NTFS permissions on group policy templates (in SYSVOL) are not replicating to DC02 in my two-dc  setup.  When I modify the security filtering on a GPO (for example add a user on the scope tab) on DC02 it will immediately reflect the change on the GPT in sysvol on DC01, but not on the GPT in sysvol of itself. However, If I modify the security filtering on a GPO on DC01, it will reflect the change on the GPT in sysvol on both Servers.
i.e. any action start from DC01 will trigger no problem. From DC02, If I create a new GPO policy, the folder will be replicated to SYSVOL on both servers, but if I modify the security filtering on this GPO,  you will see the change have been made on both server from the GUI,, but when you check through 
 the actual ntfs permission of the folder within SYSVOL, you will find the change has been replicated to DC01, the ntfs permissions of this GPO on DC02 remain unchanged.

Both domain controllers are 2016, in the same AD site and on the same subnet - using DFSR for sysvol.  There is no routing or firewall between these two servers.  The DFSR log on both sheds no light, there are a few periodic RPC errors relating to"too busy to process" or "endpoint mapper."  The system log sheds no light either.  I have confirmed that AD replication is working with no issue and the NTFS permissions are replicated on the GPC in AD.  And likewise, creating new folders in sysvol replicate instantly, it's just the permissions on the folder on DC02 ( only happened hen making change from DC02) .  This is impacting the creation and editing of GPOs from DC02 as there are constantly permissions mismatched.

2003R2 AD upgrade to 2012

April 17, 2019, 4:57 am
$
0
0
Hi!
I have tested migration win2003r2 active directory domain to win 2012r2. Everything works fine, until i promoted 2012 server as domain controller. First time server boot's up and server manager shows 1 error.. software protection service won't start because it cant ..says access denied. After one more restart, sever go crazy and shows up 6 services that won't start. software protection, dps, user access logging, dhcp client, ip helper and network location awerness. Does anybody knows why this happen????.. after i add network and local services to local admin group, everything works fine except dps..for dps to work i have to enter regedit and manually add permissions for service. My second question is.. is it safe for active directory controller to add all network and local services to localadmin group.. what about viruses, ransomware and other malicious software who can use that permission??.. please help ...if anyone knows something.. 

services won't start after promotion

April 17, 2019, 4:58 am
$
0
0

I have tested migration win2003r2 active directory domain to win 2012r2. Everything works fine, until i promoted 2012 server as domain controller. First time server boot's up and server manager shows 1 error.. software protection service won't start because it cant ..says access denied. After one more restart, sever go crazy and shows up 6 services that won't start. software protection, dps, user access logging, dhcp client, ip helper and network location awerness. Does anybody knows why this happen????.. after i add network and local services to local admin group, everything works fine except dps..for dps to work i have to enter regedit and manually add permissions for service. My second question is.. is it safe for active directory controller to add all network and local services to localadmin group.. what about viruses, ransomware and other malicious software who can use that permission??.. please help ...if anyone knows something.. 

serivces won't start after promotion

April 17, 2019, 5:00 am
$
0
0
Hi!
I have tested migration win2003r2 active directory domain to win 2012r2. Everything works fine, until i promoted 2012 server as domain controller. First time server boot's up and server manager shows 1 error.. software protection service won't start because it cant ..says access denied. After one more restart, sever go crazy and shows up 6 services that won't start. software protection, dps, user access logging, dhcp client, ip helper and network location awerness. Does anybody knows why this happen????.. after i add network and local services to local admin group, everything works fine except dps..for dps to work i have to enter regedit and manually add permissions for service. My second question is.. is it safe for active directory controller to add all network and local services to localadmin group.. what about viruses, ransomware and other malicious software who can use that permission??.. please help ...if anyone knows something.. 
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>