Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

Search

Azure AD Connect - Which Is The Authoritative Side?

May 12, 2019, 10:52 am
$
0
0
We recently activated SSO using the Azure AD Connect tool and it appears that only the local AD is authoritative.  In other words, if I change a password in the O365 Admin, it does NOT sync with the local AD, so there's no longer any SSO.  However, if I change it in the local AD, itdoes sync to the cloud.  Have I got something misconfigured or is the sync only one way by design: from Local > O365?

Art Cabot Director, Information Technology Sizemore, Inc.

Should Hybrid joined computers allow login with UPN first

May 7, 2019, 8:18 pm
$
0
0

Hi, I'm looking to understand if hybrid domain joined computers should be able to logon with the users UPN in the first instance when no direct line of site to an on premises domain controller.

We have examples at our organisation where a user is permanently based offsite and we wish to send them a brand new computer that they have not logged onto before. Currently we either ask them to come collect the computer and log onto it before taking it away or we set them up with a local account (really want to move away from this option).

We have implemented hybrid domain joined computers as we cannot move away from group policy at this stage but none of our hybrid domain joined computers allow UPN login when no line of site to a domain controller. Is this normal behaviour?

Note: UPN logon does work if line of site to a domain controller and with locally cached username.

Getting 4776 Events Saying Account does not exists on IIS server

May 6, 2019, 9:13 pm
$
0
0

Hi Guys,

We have been getting 4776 Events (status with 0xc0000064)on our IIS server stating that the account does not exists for multiple users.

But AD accounts is actually exists and not issues with AD accounts as well.

In Same server I can see Successful logon events for same users, don't understand why its happening

Please help me on this...

Successful logon event 4624 for same user account on same server

An account was successfully logged on.

 

Subject:

                Security ID:                            NULL SID

                Account Name:                     -

                Account Domain:                  -

                Logon ID:                               0x0

 

Logon Type:                                          3

 

New Logon:

                Security ID:                            xxxxxxxxxxx

                Account Name:                     xxxxxxxxxxx

                Account Domain:                  xxxxxxxxxxx

                Logon ID:                               0x2d7af6a6e

                Logon GUID:                          {00000000-0000-0000-0000-000000000000}

 

Process Information:

                Process ID:                             0x0

                Process Name:                      -

 

Network Information:

                Workstation Name:              xxxxxxxxxxxx

                Source Network Address:    xx.xx.xx.xx

                Source Port:                          58480

 

Detailed Authentication Information:

                Logon Process:                     NtLmSsp

                Authentication Package:     NTLM

                Transited Services:                -

                Package Name (NTLM only):              NTLM V2

                Key Length:                           0

 

This event is generated when a logon session is created. It is generated on the computer that was accessed.

 

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

 

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

 

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

 

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

 

The authentication information fields provide detailed information about this specific logon request.

                - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.

                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


Active Directory Migration

May 12, 2019, 7:55 pm
$
0
0
About AD domain migration, the source environment is 2008R2 and the target environment is 2016. Can I use ADMT to migrate in both versions?

Script to check if Use root hints if no forwarder are available option selected for set of servers

May 12, 2019, 7:44 pm
$
0
0

Hello Team,

Can someone please let me know if there is script to check the option "Use root hints if no forwarder are available" is enabled for the set of servers.

Paramesh KA

forgot outlook pst file password

March 25, 2011, 4:19 pm
$
0
0
is there a safe pst password tool/site?  i got $100,000s lost product keys and business data in older emails with forgoten password!  HELP!!!!

Active Directory Users

March 22, 2019, 2:17 am
$
0
0

We have two different AD DS in our company. First for the Domain client user login(abc.com) and second for theExchange mail service(xyz.com). We currently have approximately 500 users in our company. We have created users in both the domain for their specific purpose. Now we want to remove first domain(abc.com) from our company permanently and use a single domain(xyz.com) We have exchange mail user in our second domain already created.

Now can I use same user created in xyz.com for mail services and domain user login also? or Do I need to create all the users for client login again?

If no then, do it effect in mail service after using the same user for logging on to the client computer?

What about the groups for assigning security since I have created only distribution groups for the mail services in the second domain(xyz.com)?

Can you please help me?

Thank You


Search

AD FS Server 2012 R2 Question

March 21, 2014, 7:26 am
$
0
0

Hi

I have setup ADFS on 2012R2 with a Web Application Proxy Server (WAP).  I have published 2 apps.  

1. Claims based app - works fine

2. Non-claims app - Kerberos in IIS to a standard website

On the non claims aware app It authenticates fine but just shows a blank page. The URL shows as the web page followed by /?authToken=eyJ0eX........

I have set the WAP to be domain joined as per MS documentation but just can't seem to get the site to work through ADFS.

Am I missing something basic?

Thanks

Raising Functional Level From Windows 2000 to Something Current

May 9, 2019, 3:48 am
$
0
0

I have a single domain with AD running on a Server 2008 R2 virtual machine but at a Windows 2000 functional level (because that's what it was 20 years ago when we first created it). Now I'd like to sync my on-premise AD with Azure AD using the free service, so I need to raise the AD level.  All our servers are either Server 2008 R2, Server 2012 or Server 2016 with the exception of one older machine (only used for DHCP at this point) that's running Server 2003.

Right-clicking my domain in Active Directory shows that I can Raise it as high as Server 2008.  Is there any downside to doing this or any "gotchas" that I need to be aware of?

Art Cabot Director, Information Technology Sizemore, Inc.

move the users/groups/service account along with permission from one forest (domain xyz.com) to another forest (Domain abc.com)

May 7, 2019, 10:46 pm
$
0
0

We are looking to move the users/groups/service account along with permission from one forest (domainxyz.com) to another forest (Domain abc.com)

 

We have one-way trust between abc.com to xyz.com domains. Users/Groups and service account exist in xyz.com and accessing the resources ofabc.com (like file server (share folder), Citrix profile (Roaming, Terminal and folder redirection).

All user’s data exist in abc.com domain. Hence looking to move the Users/Groups/Service account and computer account into ABC.com domain without losing access to existing resources.

As of now users is accessing the resources in ABC.com as below.

1-     Workstation is joined to xyz.com (which need to be move inabc.com)

2-     Users login to xyz.com domain (users exist inxyz.com and configured the profile path (Roaming, Terminal, and redirected folder via group policy as\\abc.com\dfs\...........)

3-     Users login to Citrix server (All Citrix servers/fileserver/Storage is inABC.com) and access their resources.

Looking some guidance here for seamless movement.

domain form 2008 to 2012

May 8, 2019, 4:37 am
$
0
0

when i transfer domain i transfer all of the 5 role 

C:\Users\administrator.bbb>netdom query fsmo
Schema master               pdc2012.bbb.AC
Domain naming master        pdc2012.bbb.AC
PDC                         pdc2012.bbb.AC
RID pool manager            pdc2012.bbb.AC
Infrastructure master       pdc2012.bbb.AC
The command completed successfully.

but dcdiage show 

  Running enterprise tests on : bbb.AC
    Test omitted by user request: DNS
    Test omitted by user request: DNS
    Starting test: LocatorCheck
       GC Name: \\2008-ADD.bbb.AC
       Locator Flags: 0xe00031fc
       PDC Name: \\pdc2012.bbb.AC
       Locator Flags: 0xe000f1fd
       Time Server Name: \\2008-ADD.bbb.AC
       Locator Flags: 0xe00031fc
       Preferred Time Server Name: \\2008-ADD.bbb.AC
       Locator Flags: 0xe00031fc
       KDC Name: \\2008-ADD.bbb.AC
       Locator Flags: 0xe00031fc
       ......................... bbb.AC passed test LocatorCheck
    Starting test: Intersite
       Skipping site Default-First-Site-Name, this site is outside the scope
       provided by the command line arguments provided.
       ......................... bbb.AC passed test Intersite


why gc and time server on 2008 domain?i cant delelte 2008 when diasble network card 2008 my domain down

question about SYSVOL Replication from FRS to DFSR

May 8, 2019, 12:04 pm
$
0
0

I only have 2 DCs with win server 2008, and the rest are 2016.

and I need to migrate sysvol replication from FRS to DFSR, I wonder if I can postpone this migration till I demote all the DCs with win server 2008.

dcdiag does not show any specifc issue, only the following:

        Base Object:

            Base Object Description: "DC Account Object"

             Value Object Attribute Name: msDFSR-ComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

which can be fixed with migrating to dfsr as explained here?right? 

https://support.microsoft.com/en-us/help/2512643/dcdiag-exe-e-or-a-or-c-expected-errors   

not sure what type of issue might happen while migrating sysvol?

The security database on the server does not have a computer account for this workstation trust relationship

May 6, 2019, 10:12 am
$
0
0
I'm doing some work for a company and we're having an issue. I've recently created a domain controller running Server 2019 and added it to the domain.  With the new one, we now have 2 domain servers.  The short story is that the owner of the company wanted to change the computer name for the new domain controller.  We removed a dash from the name (that's what he wanted changed) and restarted the server and now I'm unable to log into the server.  The message I get is the one stated in the title.  Any help is greatly appreciated.

Set forest level doesn't match what it apparently is

May 3, 2019, 6:36 pm
$
0
0

I have a test environment setup.

I had a 2008 DC, 2008 R2 DC, and a 2012 R2 DC.

I had to manually remove the 2008 DC from AD, added a 2nd 2008 server with same name to domain, raised it to a DC, then demoted that with dcpromo, and then removed it from AD properly (had to do this due to exchange).

I raised the forest level to 2008 R2.

However, when running the below cmdlet, it still says the forest is 2008. How do I fix this? Setting the level via powershell doesn't help either.

Get-ADForest | select forestmode

Search

VM DC restore

May 2, 2019, 5:14 am
$
0
0

Hi,

I am writing a document for a disaster recovery for our DC's.

We have  2 server 2019 Hyper-v hosts and each have 1 VM DC. we backup each DC with Backup exect and hyper-v agent.

My question is, How to recover the VM DC that has the 5 FSMO roles?

I understand becuase we using Hyper-v higher then 2012 and VM DC is also 2012 R2 we can just resore the VM DC and no issue with Generation-ID. is this correct? or we still have to do a non autherative resotre of the DC with FSMO roles?

 

Shahin

How to restrict access to certain attribute in Active Directory for Global Address List ( Outlook)

May 10, 2019, 6:34 am
$
0
0

He would like to add some personal employee information in Active Directory which should be accessible by only a few users in Outlook GAL on their phones. At present all telephone numbers , mobile phones are available to everyone when you search for a user via contact list on an iPhone. Once we add employee's home address we want only a few people to have access to that info when they search for the same person/s via GAL on their mobile or desktop outlook contact list.

Richard Ojel...

Restoring Deleted Active Directory Object

May 11, 2019, 10:29 am
$
0
0

Dear Support,

Can we restore Active Directory deleted object without restarting Domain Controller. If yes, Please share the details to perform the same.

OS : Windows Server 2008

R!t@$#

Issue with ADUC

May 8, 2019, 11:32 am
$
0
0

I have a server I spun up in our production environment, installed ADDS and DNS and made into a DC and did a manual repadmin sync of AD. I then moved the DC into an isolated network for the purpose of creating a test environment. I have DNS pointing to itself and seized all FSMO roles for the forest. Now when opening ADUC I am getting the error...

"The configuration information describing this enterprise is not available. The specified domain either does not exist of could not be contacted."

I am also getting this error....

"Naming information cannot be located because the specified domain either does not exist or could not be contacted."

I have done this before and after seizing the FSMO roles the DC worked with no issues. Do I need to let the server sit in the production network after installing ADDS for more sync time or what could I be missing? Any help is much appreciated!

Thanks.

Chad Guiney

Active Directory Domain Services Configuration Wizard Script

May 11, 2019, 1:40 am
$
0
0

Hello,

When installing AD, almost at the end one gets a script, the so called active directory DSC script. One can even see it script. is it somehow possible to see this script after closing the ADDS configuration gui?

many thanks.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>