Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain controllers replication issue

April 21, 2019, 1:33 am
$
0
0

Hi,

I have two domain controller that they have been working for about two years. Also, I had another domain controller that had problem and I've disconnected that from the network. And I cleanup that metadata's from other DCs. Yesterday for some changes I turned off the domain controllers and after powering those on I saw that additional dc cannot see primary dc. Here is the error I got:

Active Directory Domain Services was unable to establish a connection with the global catalog. 
Additional Data 
Error value:
8430 The directory service encountered an internal failure. 
Internal ID:
3200db0 
User Action: 
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
 

I can ping the domain controllers but I cannot access to shared folders on them. Therefore, I was forced to remove DNS server and re-install it again. Here is the DCDIAG result:

C:\Windows\system32>Dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = SRV-additional
   [SRV-additional] Directory Binding Error 1722:
   The RPC server is unavailable.
   This may limit some of the tests that can be performed.
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\SRV-ADDITIONAL
      Starting test: Connectivity
         [SRV-ADDITIONAL] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SRV-ADDITIONAL failed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\SRV-ADDITIONAL
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : rsz
   Running enterprise tests on : rsz.local


Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
Source domain controller: 
 SRV2 
Failing DNS host name: 
 352c21fa-a86d-4fc7-9a2b-a93345b5410d._msdcs.rsz.local 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
Registry Path: 
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
User Action: 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
  dcdiag /test:dns 
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
  dcdiag /test:dns 
 5) For further analysis of DNS error failures see KB 824449: 
   http://support.microsoft.com/?kbid=824449 
Additional Data 
Error value: 
 11004 The requested name is valid, but no data of the requested type was found.

C:\Windows\system32>netdom /query fsmo
The RPC server is unavailable.
The command failed to complete successfully.

C:\Windows\system32>Repadmin /kcc childdc2
Repadmin can't connect to a "home server", because of the following error.  Try
specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:
    LDAP Error 81(0x51): Server Down
    Server Win32 Error 0(0x0):
    Extended Information:
C:\Windows\system32>NETDIAG Trust Relationship
'NETDIAG' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>NETDIAG
'NETDIAG' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>Repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\SRV-ADDITIONAL
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 03e194c8-f399-405c-b7a7-475375591d51
DSA invocationID: 220c4c6b-3636-4073-b51f-098a1211020c
==== INBOUND NEIGHBORS ======================================
DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:43:46.
CN=Configuration,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:25 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
CN=Schema,CN=Configuration,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:51 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        28 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
DC=DomainDnsZones,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        31 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.
DC=ForestDnsZones,DC=rsz,DC=local
    Default-First-Site-Name\SRV2 via RPC
        DSA object GUID: 352c21fa-a86d-4fc7-9a2b-a93345b5410d
        Last attempt @ 2019-04-20 10:17:00 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        31 consecutive failure(s).
        Last success @ 2019-04-19 15:27:05.

Any help would be appreciated. Thanks


Search

Active Dirctory issue

April 21, 2019, 3:44 am
$
0
0

I have windows server 2012 standard and I configured  AD for our organization, before it worked very well but since last 10days, when i joining win10 or win8 to domain controller it's not joining and the bellow message is appearing,

(the specified domain dose not exist or could not be contacted).

need your help in this regard

creating a trust relationship in a lab environment

April 21, 2019, 10:14 am
$
0
0

Guys,

i am stuck in my lab. I got 2 diferent hypervisors(vmware and virtual box). I want to connect my 2 testdomains through a trust, but i cant figure out how(i do know whete the create a trust console is offcourse). Also, i was thinking, shouldnt i first create a site to site vpn?

anyone who can help me with this, should i create a vpn first and how to create a trust from 2 different hypervisors?

both networks are having a microsoft server (STAND ALONE) router as their gateway 

many many thanks.



Global Catalog Server

April 16, 2019, 2:22 am
$
0
0
Can we search the objects of other domains through global catalog if other domains are shut down. Is this process happen in background that Global Catalog first search the object in its indexing and then send the query to the object domain. What if object domain is shut down in this case. 

Additional Domain Controller for DR site

April 21, 2019, 6:04 pm
$
0
0

Hi All,

I would like to seek for your assistance on our plan to add a domain controller for our DR site, May i know what are the requirements, pre-requisites and things i need to configure after promoting my domain controller? role of this additional domain controller is to replicate the primary domain controller. If possible please guide me in a step by step format. Thank you!

Also, Can i control/limit/schedule/transfer rate? Thanks!

Regards,
Pao

Chrome Single Sign on not working correctly.

April 17, 2019, 3:16 am
$
0
0

Hi Everyone 

I have an odd one for you all. 

we migrated to O365 for SharePoint and Outook however the new core Corporate  system was designed for Chrome so this has become the default browser for most users.

This has lead to the following issue

when users on the corporate network try to sign into the corporate sharepoint for there are prompted to select there user name from the list it then signs them as expected.

Are getting a lot of complaints about this as we have moved our corporate intranet to sharepoint and this opens when chrome opens so users are getting prompted 2 or3 times a day.

we thought adding Chrome to WIA would work but this hasn't resolved the issue.

(worth noting we have found a work around if I sign the user in on an external network they get the "do you want to reduce the number of times you sign in" prompt if you click yes this caches the token and they no longer get prompted externally or on the corporate network. for is it's ideal as I have 2,500 desktop users with no access to an external network) 

so I need a method of either fixing chrome of forcing the reduce sign-ins prompt for all users. 

Thanks in Advance 

 

serivces won't start after promotion

April 17, 2019, 5:00 am
$
0
0
Hi!
I have tested migration win2003r2 active directory domain to win 2012r2. Everything works fine, until i promoted 2012 server as domain controller. First time server boot's up and server manager shows 1 error.. software protection service won't start because it cant ..says access denied. After one more restart, sever go crazy and shows up 6 services that won't start. software protection, dps, user access logging, dhcp client, ip helper and network location awerness. Does anybody knows why this happen????.. after i add network and local services to local admin group, everything works fine except dps..for dps to work i have to enter regedit and manually add permissions for service. My second question is.. is it safe for active directory controller to add all network and local services to localadmin group.. what about viruses, ransomware and other malicious software who can use that permission??.. please help ...if anyone knows something.. 

Event ID 4 with replication and authentication failures

April 10, 2019, 3:02 am
$
0
0

We have a Windows Server 2012R2 domain controller which generates the error below when attempting to connect to a working domain controller in AD:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was ldap/server.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.LOCAL) is different from the client domain (domain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Site replication is configured to a domain controller which generates the above error when it tries to establish a connection. This is resulting in replication not succeeding. The DC can connect to certain other DCs and not to others.

Repadmin /showreps generates:

******* 1 CONSECUTIVE FAILURES
Last error: 1396 (0x574):
            The target account name is incorrect.

Naming Context: DC=DomainDnsZones,DC=domain,DC=local
******* WARNING: KCC could not add this REPLICA LINK due to error.

This is also resulting in file share authentication failures to a second trusted domain.

Primary domain authentication for users is successful.

I've reset the faulty DC's computer account by running:

net stop kdc
klist purge
netdom resetpwd /server:workingDC.domain.local /userD:domain.local\DomainAdministrator/passwordD:*
net start kdc

That made no difference. 

I also started to build a second domain controller for the site, but when selecting the DC to replicate with during the promotion phase, the same errors appear as above, which led me to believe having a second DC wouldn't make a difference.

Any tips would be appreciated :/

Search

Multi-Forest Domains and DNS Lookup

April 9, 2019, 2:16 pm
$
0
0

I am literally beating my head against a wall right now. 


I have two forest domains with a cross forest trust. The issue is if Server A belongs to Domain A and tries to do a lookup on an IP in Domain B it will not resolve. So I put in conditional forwarders for two servers in Domain B, still not fixed. 


How are people doing this? Am I going to have to make manual records in reverse lookup conditional forwarders for this to work?

How to use AD password policy to restrict some characters of login password

April 17, 2019, 8:51 am
$
0
0

Dear Support, 

Could we use AD password policy to restrict the users using some pattern of characters as the login password (e.g. Company Name)?

Thanks!

Best Regards, 

Daniel

Sending Windows Events to a Linux Syslog Server

April 16, 2019, 8:13 am
$
0
0

I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.

Getting this error in the Event Viewer "Eventlog-ForwardingPlugin" 

The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

Somehow, I don't think it is a certificate issue at this point.

AADConnect User & Resource Forest Sync

April 16, 2019, 5:20 am
$
0
0

User Forest: users.com (1000 enabled users)

Resource Forrest: resources.com (200 enabled users, 800 linked mailboxes)

I need to sync (and merge) to Azure AD for Office 365.

AADConnect Import Rules Precedence should be:

P1: User Join (users.com) - source of authority
P2: User Join (resources.com)
P3: User Exchange (resources.com) - contains correct Exchange attributes
P4: User Exchange (users.com)

I need to also ensure Mail and Proxy attributes only come from Resource forest and aren't overwritten.

1. Can I simply set:

P5: User Common (resources.com)
P6: User Common (users.com)


My concern here is that UPN would come from resources.com instead of users.com (it is a User Common attribute).

2. Or do I simply remove the Mail and Proxy Attributes from User Common (users.com).

Microsoft network client: Digitally sign communications (always) set to Enabled

April 14, 2019, 11:25 pm
$
0
0

Hi

We are in the process of hardening Windows 2016 Domain Controllers. What are the precautions that we need to take before applying the setting Microsoft network client: Digitally sign communications (always)' is set to Enabled. Do we need to configure server side as well if we enable the client settings : -Microsoft network server: Digitally sign communications (always) is set to Enabled.

Thanks in advance

LMS

Bginfo and active directory attributes

April 11, 2019, 11:58 am
$
0
0

Hello,

As you know the "Bginfo" use to set the computer and user information on the workstations standalone or domain users desktop's background wallpaper.

i'm thinking if i can add some of the user AD attributes on the user desktops like their "employeeID".

how can i let the Bginfo sync that attributes with the user AD?

hope you can help me.


visualizing a specific OU structure

April 21, 2019, 11:50 pm
$
0
0

hello i have been trying to visualize a specific OU structure without exporting the information from exchange by using visio 

is there a tool or a script that can pull the information into a CSV file or a text that can be imported into Visio ?

i want to pull personal information and who is the manager of that person 



Search

Kerberos issue with Jenkins windows slaves

April 18, 2019, 11:21 pm
$
0
0


I've been trying to figure out the differences between testa01 (success) and testa02 (failure) and it looks testa02 doesn't have Kerberos setup properly.

 

In testa01 when I visit jenkins.factset.com(or is.factset.com) as svc-hudson I am authenticated properly. However, in testa02 I get prompted for credentials.

 

I can also see Kerberos errors in the event viewer after enabling Kerbros vent logging in testa02.

kindly let us know to resolve the issue.

We are receiving Event 3 Security-kerberos continuously in logs.

Name Suffix Routing shows Conflict

April 22, 2019, 12:11 am
$
0
0

We have multiple domains and forest in our environment, connected with two way trust. We are in process of Consolidating all the domains in single domain single forest. Our On prem. AD objects are synced with Azure through ADConnect.

Our Main domain is xxxx.pri. Right now we are moving all Users and Machines from yyyy.com domain to xxxx.pri. We would like to retain the users UPN @yyyy.com. when we add this yyyy.com as suffix in AD Domains and Trust. Trust breaks between xxxx.pri and yyyy.com.

Users can below error while connecting xxxx.pri domain servers.

"The Security System detected an authentication error for the server. The failure code from authentication protocol Kerberos was “The name or SID of the domain specified is inconsistent with the trust information for that domain."

 

In Name Suffix Routing shows Conflict with yyyy.com domain.


Microsoft Active Directory Certificate Service

April 22, 2019, 1:11 am
$
0
0

Hi

I have some question on Active Directory Certificate Service:

Currently, we have a Hierarchy PKI in our organization the Root of which use Microsoft Server 2003 Service. Now we want to migrate and make another parallel Hierarchy and using Windows Server 2016 service in the new root CA. But we want to set up an interoperability relationship between these two hierarchies. Thinking on using CTL or One-way Cross-Certification,  we are not sure which one is more suitable for our situation. What is your suggestion?

My other question is about to include Extended Validation and Friendly Name Properties in my new Standalone Root CA's certificate which will be set up on windows server 2016. We have tried different ways to include these properties by use of CApolicy.inf, but we have not made any progress till now. Could you please help us and tell me how we can do this?

Native tools for monitoring elevated group memberships ?

April 22, 2019, 2:42 am
$
0
0
Any recommendations on native tools for monitoring elevated group memberships ?  

managed by

April 16, 2019, 11:26 pm
$
0
0

HI

we have an scenario that every user just login to only one PC

user1 computer 1

user2 computer2

1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user

2-when set managed by for computer that never work .

how can i doing this ?

Thank you in advance

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>