Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Got error while checking LDAP and RPC connectivity. Please check your firewall settings

May 14, 2019, 1:13 am
$
0
0

Hi,

I have single Domain Controller 30 machines are not able to contact the Server then possibly i checked internet in the Directory Server i was not able to browse Internet though Directory Server. Then i ran dcdiag /fix, I got the following errors. I have checked the network interface too but still i am unable to resolve the issue.

Other Machines connected to the Directory Server are getting internet.

Other Errors from the NETLOGON Service : Event 5722

The session setup from the computer WS-15 failed to authenticate. The name(s) of the account(s) referenced in the security database is WS-15$.  The following error occurred: Access is denied.

DistributedCOM : Event 10016

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

C:\Windows\system32>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ADServer2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         The host a5062caf-4ee7-400f-a70d-9e4d8e84e0f0._msdcs.ad.xxxx.com could not be resolved to an IP address. Check the DNS server, DHCP, server name,
         etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... ADSERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Skipping all tests, because server ADSERVER2 is not responding to directory service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : ad.vinformax.com
      Starting test: LocatorCheck
         ......................... ad.xxxx.com passed test LocatorCheck
      Starting test: Intersite
         ......................... ad.xxxx.com passed test Intersite

Kindly help me to sort out the issue.

Regards,

D.Nithyananthan.

Thanks & Regards, D.Nithyananthan.

Search

restrict domain joining for particular windows 10 OS version

May 10, 2019, 4:34 am
$
0
0

Hi Team,

How to restrict domain joining for particular windows 10 OS version like Windows 10 education.

Apart from windows 10 Enterprise edition need to deny other windows 10 OS versions.

Regards,

Yogesh

Lost And Found Folder in Active Directory

December 19, 2018, 9:54 pm
$
0
0

We have a central management console which works with Active directory. We enumerate users/computers/groups etc and use it inside our console for applying the policy. Is it a good idea to consider "Lost And Found Folder" as a valid group just like others containers?

-- Vikram

AD Delegation

May 14, 2019, 2:15 am
$
0
0

Dear All,

I did delegate a user to reset domain user passwords and modified their properties, he can do his tasks on majority of domain users but not for others. I did check those users and they'r member of a security group " technical support" which has the privileges to do remote desktop on domain computers and also member of domain computers. All members of that group are having admincount 1, and as my understanding even i remove this value it well added back after an hour. I did add that user to same group" technical support" and he's admincount 1 but still he can't reset any member of that group. Enable inheritance is disabled for those users as well, i did enable it but it disabled again. Is there is any way to let that user to reset all members on that group.

Thank You

Deny Interactive Logon to a group

April 1, 2019, 3:50 am
$
0
0

Hi,

I have a need to deny a certain group of users interactive logon to computers while at the same time those users must be still granted "RunAs" and "Run as a Service". Basically, I want to deny authentication using the GINA.

As I know that the GPO setting "Deny Log On Locally" cannot achieve that, what alternative do we have?

Thank you

PM

path to become expert in Active Directory

May 14, 2019, 2:03 am
$
0
0

Hello Team,

I am new to Active Directory. So I want to ask that what is the path to learn active directory and get certified in that.

Also want to know that what is the pre-requisite required to learn Active Directory.

Regards,

Vipin

Forest Trust Relationships

May 14, 2019, 2:35 am
$
0
0

Hello

In our Organization we have configure 2-way forest trust relationship between 2 forest domains(ForestA and ForestB) with Transitive mode "Yes", Name Suffix Routing is properly set.

When checking for the trust validation the next window appear:

While checking with nltest /dclist:DomainB also give a list of DCs in the DomainB.

ForestA contain two child domain child1.ForestA and child2.ForeastA. ForestB dont have child domain.

Adding account from ForestB to ForestA's Domain Local group is success. But when we are trying to add account from ForestB to the Domain Local group in child1.ForestA it gives an error window below:

 

P. S. Conditional Forwarders is configured properly, all FQDNs of DomainB resolves successfully


DCPromo error: The wizard cannot gain access to the list of domains in the forest

November 5, 2014, 2:09 pm
$
0
0

Hello folks,

I cant promote a member server to be a DC. This server was not even able to get added to the domain. I got that taken care of by offline join (djoin). I'm able to ping/nslookup any other DC, DNS, domain name, forest name, etc

Please see the C:\Windows\debug\dcpromoui.log and the screenshot

dcpromoui 810.E14 0000 14:49:10.837 opening log file C:\Windows\debug\dcpromoui.log
dcpromoui 810.E14 0001 14:49:10.837 C:\Windows\system32\wsmprovhost.exe
dcpromoui 810.E14 0002 14:49:10.837 file timestamp 08/22/2013 04:03:07.107
dcpromoui 810.E14 0003 14:49:10.838 C:\Windows\system32\dcpromocmd.dll
dcpromoui 810.E14 0004 14:49:10.838 file timestamp 11/03/2014 09:01:41.277
dcpromoui 810.E14 0005 14:49:10.838 local time 11/05/2014 14:49:10.838
dcpromoui 810.E14 0006 14:49:10.838 running Windows NT 6.3 build 9600  (BuildLab:9600.winblue_r3.140827-1500) amd64
dcpromoui 810.E14 0007 14:49:10.838 logging flags 0001007C
dcpromoui 810.E14 0008 14:49:10.838 Enter GetExistingAccountForComputerInReplicaDomain
dcpromoui 810.E14 0009 14:49:10.838   START TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 810.E14 000A 14:49:10.838   Enter Computer::RemoveLeadingBackslashes 
dcpromoui 810.E14 000B 14:49:10.838   Using empty constructor
dcpromoui 810.E14 000C 14:49:10.838   Enter Computer::Refresh
dcpromoui 810.E14 000D 14:49:10.838     Enter IsLocalComputer
dcpromoui 810.E14 000E 14:49:10.838     Enter RefreshLocalInformation
dcpromoui 810.E14 000F 14:49:10.838     Enter GetProductTypeFromRegistry
dcpromoui 810.E14 0010 14:49:10.838       Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 810.E14 0011 14:49:10.838       Enter RegistryKey::GetValue-String ProductType
dcpromoui 810.E14 0012 14:49:10.838       ServerNT
dcpromoui 810.E14 0013 14:49:10.839       prodtype : 0x3
dcpromoui 810.E14 0014 14:49:10.839     Enter GetSafebootOption
dcpromoui 810.E14 0015 14:49:10.839       Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 810.E14 0016 14:49:10.839       HRESULT = 0x80070002
dcpromoui 810.E14 0017 14:49:10.839       returning : 0x0
dcpromoui 810.E14 0018 14:49:10.839     Enter DetermineRoleAndMembership
dcpromoui 810.E14 0019 14:49:10.839       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 001A 14:49:10.839         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 810.E14 001B 14:49:10.839           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 001C 14:49:10.839           lpServer  : (null)
dcpromoui 810.E14 001D 14:49:10.839           InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 810.E14 001E 14:49:10.839           HRESULT = 0x00000000
dcpromoui 810.E14 001F 14:49:10.839         MachineRole      : 0x3
dcpromoui 810.E14 0020 14:49:10.839         Flags            : 0x1000000
dcpromoui 810.E14 0021 14:49:10.839         DomainNameFlat   : Houston
dcpromoui 810.E14 0022 14:49:10.839         DomainNameDns    : Houston.contoso.com
dcpromoui 810.E14 0023 14:49:10.839         DomainForestName : contoso.com
dcpromoui 810.E14 0024 14:49:10.839       Enter IsDcInRepairMode
dcpromoui 810.E14 0025 14:49:10.839   HRESULT = 0x00000000
dcpromoui 810.E14 0026 14:49:10.839   Enter State::DetermineRunContext
dcpromoui 810.E14 0027 14:49:10.839     Enter DS::GetPriorServerRole
dcpromoui 810.E14 0028 14:49:10.839       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 0029 14:49:10.839         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 810.E14 002A 14:49:10.839           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 810.E14 002B 14:49:10.839           lpServer  : (null)
dcpromoui 810.E14 002C 14:49:10.839           InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 810.E14 002D 14:49:10.840           HRESULT = 0x00000000
dcpromoui 810.E14 002E 14:49:10.840         OperationState      : 0
dcpromoui 810.E14 002F 14:49:10.840         PreviousServerState : 0
dcpromoui 810.E14 0030 14:49:10.840     Enter Computer::GetNetbiosName
dcpromoui 810.E14 0031 14:49:10.840       USSLCRODC101
dcpromoui 810.E14 0032 14:49:10.840     Enter Computer::GetRole USSLCRODC101
dcpromoui 810.E14 0033 14:49:10.840       role: 3
dcpromoui 810.E14 0034 14:49:10.840     NT5_MEMBER_SERVER
dcpromoui 810.E14 0035 14:49:10.840   Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 810.E14 0036 14:49:10.840   Enter FS::GetPathSyntax C:\Windows\system32
dcpromoui 810.E14 0037 14:49:10.840   HRESULT = 0x00000000
dcpromoui 810.E14 0038 14:49:10.840   Enter State::SetMode STAGETWO
dcpromoui 810.E14 0039 14:49:10.840   Enter State::SetOperation REPLICA
dcpromoui 810.E14 003A 14:49:10.840   Enter GetCredentialsFunctInternal
dcpromoui 810.E14 003B 14:49:10.840     Enter ShouldSkipCredentialsPage
dcpromoui 810.E14 003C 14:49:10.840       Enter State::GetOperation REPLICA
dcpromoui 810.E14 003D 14:49:10.840     using empty user domain name
dcpromoui 810.E14 003E 14:49:10.840     Enter State::GetOperation REPLICA
dcpromoui 810.E14 003F 14:49:10.840     Enter GetForestName Houston.contoso.com
dcpromoui 810.E14 0040 14:49:10.840       Enter MyDsGetDcName
dcpromoui 810.E14 0041 14:49:10.840         Enter MyDsGetDcName2
dcpromoui 810.E14 0042 14:49:10.840           Calling DsGetDcName
dcpromoui 810.E14 0043 14:49:10.840           ComputerName : (null)
dcpromoui 810.E14 0044 14:49:10.840           DomainName   : Houston.contoso.com
dcpromoui 810.E14 0045 14:49:10.840           DomainGuid   : (null)
dcpromoui 810.E14 0046 14:49:10.840           SiteName     : (null)
dcpromoui 810.E14 0047 14:49:10.840           Flags        : 0x40000000
dcpromoui 810.E14 0048 14:49:10.841           HRESULT = 0x00000000
dcpromoui 810.E14 0049 14:49:10.842           DomainControllerName    : \\USHOUDC100.Houston.contoso.com
dcpromoui 810.E14 004A 14:49:10.842           DomainControllerAddress : \\10.131.18.10
dcpromoui 810.E14 004B 14:49:10.842           DomainGuid              : {DD7C193F-9912-4E8F-A310-EA750D8329D4}
dcpromoui 810.E14 004C 14:49:10.842           DomainName              : Houston.contoso.com
dcpromoui 810.E14 004D 14:49:10.842           DnsForestName           : contoso.com
dcpromoui 810.E14 004E 14:49:10.842           Flags                   : 0xE000F1FD:
dcpromoui 810.E14 004F 14:49:10.842           DcSiteName              : USHouston
dcpromoui 810.E14 0050 14:49:10.842           ClientSiteName          : USSaltLakeCity
dcpromoui 810.E14 0051 14:49:10.842     using forest name contoso.com
dcpromoui 810.E14 0052 14:49:10.842     Enter State::GetOperation REPLICA
dcpromoui 810.E14 0053 14:49:10.842     Enter State::SetForestName contoso.com
dcpromoui 810.E14 0054 14:49:10.842     Enter State::SetTargetDomainName Houston.contoso.com
dcpromoui 810.E14 0055 14:49:10.842     Enter CheckUserIsLocal
dcpromoui 810.E14 0056 14:49:10.842     Enter State::GetOperation REPLICA
dcpromoui 810.E14 0057 14:49:10.842     Enter State::ReadDomains
dcpromoui 810.E14 0058 14:49:10.842       Enter State::GetTargetDomainName
dcpromoui 810.E14 0059 14:49:10.842         Enter State::GetOperation REPLICA
dcpromoui 810.E14 005A 14:49:10.842         target domain name: Houston.contoso.com
dcpromoui 810.E14 005B 14:49:10.842       Enter CDomains::ReadDomains
dcpromoui 810.E14 005C 14:49:10.842         Enter MyDsEnumerateDomainTrusts
dcpromoui 810.E14 005D 14:49:10.842           Enter GetDcName
dcpromoui 810.E14 005E 14:49:10.842             Enter GetDcName2
dcpromoui 810.E14 005F 14:49:10.842               Enter MyDsGetDcName2
dcpromoui 810.E14 0060 14:49:10.842                 Calling DsGetDcName
dcpromoui 810.E14 0061 14:49:10.842                 ComputerName : (null)
dcpromoui 810.E14 0062 14:49:10.842                 DomainName   : Houston.contoso.com
dcpromoui 810.E14 0063 14:49:10.842                 DomainGuid   : (null)
dcpromoui 810.E14 0064 14:49:10.842                 SiteName     : (null)
dcpromoui 810.E14 0065 14:49:10.842                 Flags        : 0x40000011
dcpromoui 810.E14 0066 14:49:11.020                 HRESULT = 0x00000000
dcpromoui 810.E14 0067 14:49:11.020                 DomainControllerName    : \\ushoudc102.Houston.contoso.com
dcpromoui 810.E14 0068 14:49:11.020                 DomainControllerAddress : \\10.131.18.12
dcpromoui 810.E14 0069 14:49:11.020                 DomainGuid              : {DD7C193F-9912-4E8F-A310-EA750D8329D4}
dcpromoui 810.E14 006A 14:49:11.020                 DomainName              : Houston.contoso.com
dcpromoui 810.E14 006B 14:49:11.020                 DnsForestName           : contoso.com
dcpromoui 810.E14 006C 14:49:11.020                 Flags                   : 0xE000F1FC:
dcpromoui 810.E14 006D 14:49:11.020                 DcSiteName              : USHouston
dcpromoui 810.E14 006E 14:49:11.020                 ClientSiteName          : USSaltLakeCity
dcpromoui 810.E14 006F 14:49:11.020               Enter Computer::RemoveLeadingBackslashes \\ushoudc102.Houston.contoso.com
dcpromoui 810.E14 0070 14:49:11.020               ushoudc102.Houston.contoso.com
dcpromoui 810.E14 0071 14:49:11.020           Enter AutoWNetConnection::Init
dcpromoui 810.E14 0072 14:49:11.020             Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 810.E14 0073 14:49:11.020             The current user security context is being used therefore there is no need to establish a connection.
dcpromoui 810.E14 0074 14:49:11.020             HRESULT = 0x00000000
dcpromoui 810.E14 0075 14:49:11.920           NetStatus = 1722
dcpromoui 810.E14 0076 14:49:11.920           Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 810.E14 0077 14:49:11.920           HRESULT = 0x800706BA
dcpromoui 810.E14 0078 14:49:11.920         HRESULT = 0x800706BA
dcpromoui 810.E14 0079 14:49:11.920         HRESULT = 0x800706BA
dcpromoui 810.E14 007A 14:49:11.920     failed trying to read domains, returned 0x800706BA
dcpromoui 810.E14 007B 14:49:11.921     Enter GetErrorMessage 800706BA
dcpromoui 810.E14 007C 14:49:11.921   GetExistingAccountForComputerInReplicaDomain error message: The wizard cannot gain access to the list of domains in the forest.

This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The error is:
The RPC server is unavailable.

dcpromoui 810.E14 007D 14:49:11.921   Test Failed
dcpromoui 810.E14 007E 14:49:11.921   GetExistingAccountForComputerInReplicaDomain returns exit code: 26
dcpromoui 810.E14 007F 14:49:11.921   END TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 810.E14 0080 14:49:11.921   Enter State::UnbindFromReplicationPartnetDC

Search

give full control to authenticated users on a domain name

May 8, 2019, 11:59 am
$
0
0 
$acl =get-acl d:\test5
$ace =new-object system.security.AccessControl.FileSystemAccessRule('Authenticated Users','FullControl','Allow')
$acl.AddAccessRule($ace)
$acl |Set-Acl
this one is for a folder how can I change my script for entire domain ou 

baban jamal ali

grand permission by powershell

May 8, 2019, 11:18 am
$
0
0
By accident I R.C on a domain name and security in authenticated users changed all read permission to deny now I got attached issue can some one help me to grand users permission gain by power shell  

baban jamal ali

last interactively sign-in timings

May 13, 2019, 2:45 am
$
0
0
Can somebody explain the timings about the last login here? According to this, I checked in the event log. But there no any login event related to 7:08:20 AM for this particular user. The user has login to the  pc at 8.10am. I can see that event in the event log. But no events related to the 7.08am. What could be the reason for this ?

Write SamAccountName permission

May 7, 2019, 10:28 pm
$
0
0

Greetings,

  I have looked everywhere but cannot find the write 'SamAccountName' permission.

  There is a samaccountname in dssec.dat but its under class '[securityPrincipal]' and setting that to zero still doesnt display it.

  Does anyone know where it is?

Thanks

David Z

move the users/groups/service account along with permission from one forest (domain xyz.com) to another forest (Domain abc.com)

May 7, 2019, 10:46 pm
$
0
0

We are looking to move the users/groups/service account along with permission from one forest (domainxyz.com) to another forest (Domain abc.com)

 

We have one-way trust between abc.com to xyz.com domains. Users/Groups and service account exist in xyz.com and accessing the resources ofabc.com (like file server (share folder), Citrix profile (Roaming, Terminal and folder redirection).

All user’s data exist in abc.com domain. Hence looking to move the Users/Groups/Service account and computer account into ABC.com domain without losing access to existing resources.

As of now users is accessing the resources in ABC.com as below.

1-     Workstation is joined to xyz.com (which need to be move inabc.com)

2-     Users login to xyz.com domain (users exist inxyz.com and configured the profile path (Roaming, Terminal, and redirected folder via group policy as\\abc.com\dfs\...........)

3-     Users login to Citrix server (All Citrix servers/fileserver/Storage is inABC.com) and access their resources.

Looking some guidance here for seamless movement.

DC Demoted, local admin account corrupted

May 7, 2019, 5:08 am
$
0
0

Hi Everyone

A few months ago our DC got infected with ransomware. We setup a new server two or three weeks ago, configured it as a DC (DC01) and transferred all the FSMO roles to the new DC (DC01). DCDIAG was clean on DC01. We then demoted the infected DC and when we tried to log in via the local admin, we got a "The User Profile Service service failed the logon". I added another user to the localgroup administrators, but get the same error. I wanted to log onto the server to fully uninstall Active Directory and DNS from the server.

Can I just switch off the server completely or is there a way to see if all Domain functionality works except for dcdiag.exe?

Server 2019 Directory issues

May 8, 2019, 3:18 am
$
0
0

      

The Problem
I cannot query the AD from the AppsServer unless I leave the domain and restart, then rejoin and NOT restart

All are fully patched with latest updates 07/05/2019

Setup (All Server2019, all single NICs)
DC01: Physical running AD DS, DHCP, DNS and file and storage services
AppsServer: Physical running Hyper-V, IIS, print and doc, file and storage services and Azure AD Connect
DC02: Virtual running AD DS, DHCP, DNS and file and storage services

Communication between the two DC's is fine, although I do get DFS Replication Event 5008 quickly followed by 5004 on DC01
Pings between the two DC's are <1ms and never miss a beat.

DCDIAG From AppsServer
dcdiag /test:advertising /v /s:dc01
* Connecting to directory service on server dc01.
   Ldap search capability attribute search failed on server dc01, return value = 81

DCDIAG From DC02
Directory Server Diagnosis

Performing initial setup:
   * Connecting to directory service on server DC01.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Primary,CN=Sites,CN=Configuration,DC=domain,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=DC01,CN=Servers,CN=Primary,CN=Sites,CN=Configuration,DC=domain,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC02,CN=Servers,CN=Primary,CN=Sites,CN=Configuration,DC=domain,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Primary\DC01
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Primary\DC01
      Starting test: Advertising
         The DC DC01 is advertising itself as a DC and having a DS.
         The DC DC01 is advertising as an LDAP server
         The DC DC01 is advertising as having a writeable directory
         The DC DC01 is advertising as a Key Distribution Center
         The DC DC01 is advertising as a time server
         The DS DC01 is advertising as a GC.
         ......................... DC01 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Test omitted by user request: RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : DomainDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Schema
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Configuration
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : domain
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running enterprise tests on : domain.local
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite

IPCONFIG /All (disabled IPV6 on DC01 and AppsServer to test)
DC01
   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 90-B1-1C-22-19-82
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.254
   DNS Servers . . . . . . . . . . . : 192.168.0.17
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled -> just disabled to test

DC02
   Host Name . . . . . . . . . . . . : DC02
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-00-60-0A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f5ad:b95d:529c:18d3%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.254
   DHCPv6 IAID . . . . . . . . . . . : 100668765
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-33-CA-A5-00-15-5D-00-60-0A
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled -> just disabled to test

AppsServer
   Host Name . . . . . . . . . . . . : AppsServer
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

 Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #4
   Physical Address. . . . . . . . . : F0-1F-AF-E1-5E-0F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.254
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       192.168.0.17
   NetBIOS over Tcpip. . . . . . . . : Enabled

Other tests ran..
nltest /dsgetdc:domain.local /server:dc01
     DC: \\DC01.domain.local
     Address: \\192.168.0.1
     Dom Guid: 62ea49d6-7a05-4258-81d3-06dba557ffed
     Dom Name: domain.local
     Forest Name: domain.local
     Dc Site Name: Primary
     Our Site Name: Primary
     Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10

The command completed successfully

Pings between all serves work on IP and HOST names, Firewall has been disabled for all network types, Group Policies have been disabled except on domain controllers.  My local Windows 10 machine works without any issue and can query the AD.

I'm out of ideas and would appreciate any help.

Search

Problem with AD replication

May 8, 2019, 11:33 am
$
0
0

I have a 1 DC environment (no $ for a 2nd one).

It's on the fritz. Possible memory issue and/or possible windows corruption.

Anyway, I have a temporary box setup, joined domain, promoted to DC, forced replication via ad sites and services. Said it completed successfully.

New DC is a global catalog.

However, when the original DC goes offline, the new DC can no longer access AD users and computers, etc.

The new DC cannot access Netlogon either. I can connect using the original DC as the source but can't use the new DC as the source.

\\newdc\netlogon while on new DC doesn't work

\\olddc\netlogon while on new DC does work

Both DC's are 2012 R2 standard.

Thanks!



Unable to view/setup domain trust

May 14, 2019, 3:09 am
$
0
0

Hi, I been ask to setup one way trust between two domians but for some reason I can't do anything from domian A. i dont get option to setup any trust.

I'm enterprise/domain admin on both domains.

if I go to Actie Durectory Domians and Trusts (ADDT) in Domain B then I am able to see the option to setup trust but not from Domian A.

Domain A setup

3 Domian Controller

  • 2008 R2 DC
  • 2012 R2 DC
  • 2016 DC

Domian B Setup

  • 2012 R2
  • 2016

Both of the domian are on 2008 R2 Functional level


How to Turn on File & Printer Sharing using group policy?

May 14, 2019, 3:21 am
$
0
0

Hi Team

DO we have any options to enable or deploy File and Print sharing in firewall  using group policy .


Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

How to audit DNS (AD Integrated) changes

May 13, 2019, 4:02 pm
$
0
0

   Hello to all, I need to audit DNS changes (creation, edition and deletion of zones and records) in a DNS environment that is integrates with AD. DC versions: Win2003, 2008,  2008 R2, 2012, 2012R2 and 2016. 

   I know that there are specific configurations to generate DNS events and they depend of the DC version. Until Win2012 (included) one should use GPO + ADSEdit and with Windows 2012R2 and later an enhanced method appeared named "DNS Logging and Diagnostics" (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11). I didn't see any reference in "DNS Logging and Diagnostics" article and others, citing any reference to ADSIEdit. Questions:

   1-  How to configure DNS audit events (zone and record - deletion, creation and edition) on a single domain that have DCs in versios like 2008, 2012 and 2016? Will one kind ("legacy" x "Logging and Diagnostics") of configuration impact on another one? How to enable DNS audit to get DNS events on several types of DCs - like the ones written here?

   2- is there a GPO to configure "Logging and Diagnostics"? 

   Thanks in advance.

   Regards, EEOC.



   

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>