Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Backup AD and what have you done

May 22, 2019, 9:30 am
$
0
0

We have multiple domain controllers. I wanted to ask how have you guys prepared for these.

DR: I guess you can have Multiple domain controllers spread across geo-locations in Azure or other datacenters.

Ransomware, Virus, accidental DNS deletion and so on: What have you done to protect from this. Lets say accidentally it affects your AD. Can you restore AD via VM checkpoint (might not be supported) or restore the VM. Do you have to take system state backups or so on. Do you have a DC in remote location that you only communicate so often with HQ. 

I want to make sure we are protected and see what have you guys done for your AD infrastructure. 

Please suggest.

John

Search

CA not updating revocation list of superseeded CA certificates

May 23, 2019, 5:20 am
$
0
0

Hello,

I have a Enterprise Sub-CA running on Server 2012R2. The root is an offline CA. I have a history of 6 CA certificates (0-5) of which 4 & 5 are revoked. There are still many valid certificates issued by certificate no. 3 in the field. The problem is, that the CA is not issuing revocation lists for certificate no. 3 anymore and therefore I'm getting certificate errors. The CA is issuing revocation lists for ca certificates no. 0,2 and 5 though. I don't mind no. 1 as there were no certificates issued by this certificate, but I have to have revocation lists for CA certificate no. 3. The revocation lists are not issued automatically or if triggered by hand.

Any idea?

Thanx

__Leo

Home Folders does NOT map on Initial Logon Using ADUC Settings

May 18, 2019, 5:50 am
$
0
0

I do have Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon (enabled)

All switches have Portfast enabled

All GPO are processed fine.

On few users (same user on ANY different device) will not map home drive that is in profile

It just simply is not there. But "set" shows:

HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\server.domain.local\Stafffile\Users\UserInQuestion

So it should be there. But no matter what, it does not happen.

Only way I can do is Loopback GPO with GPP but there I can even specify %HOMESHARE% and it maps perfectly fine.

Been all over the Internet, trying to figure that one out, but simply can not

Maybe somebody has any idea?

Seb

Active Directory Migration Tool ERROR

May 23, 2019, 7:41 am
$
0
0

Please help

I'm receiving this error during migrating this user to another AD

ERR2:7422 Failed to move source object 'CN=al'. hr=0x8007207d An attempt was made to modify an object to include an attribute that is not legal for its class.

ProxyAddress atribute was totaly emptied after moving users to another OU

May 23, 2019, 10:03 am
$
0
0

ProxyAddress atribute was totaly emptied after moving users to another OU

I Have a big AD on-premisse structure, 18 DCs/ADs and hundreds of users and a AADConnect VM to synch user info to AzureAD/Office365 (single direction, On-premisse --> Office365)

Yesterday i moved hundreds of users from their original OUs, to a new one. This target OU is not synched with Office365

The trick is:

AFter the move, the ProxyAddress attribute was.. EMPTY.. CLEAR... NULL...

And, as a result, all users lost their accesses to my shared mailboxes, because the shared mailboxes has its relation with the proxyaddress attribute, which is OK

But the question is:

Why does ProxyAddress attibute was lost/emptied after a snigle move of object form a OU to another?

Unable to create user accounts until DC is restarted

May 20, 2019, 8:48 am
$
0
0
We have experienced 3 times lately where we have been unable to create user objects in Active Directory.  The first two had the same errors.  I'm not sure if the third one is related or not.

I have 4 DC's, two in each of two sites.  One of the Domain Controllers, DC1, has all the FSMO roles  They are all Windows 2012 R2, but the Domain and Forest Functional Level is at Windows 2008 R2 until later this week.  We have a single domain forest.  We have about 650-700 actual users, so even with shared and special user ID's, we probably have less that 2000 user objects.  Not a large Active Directory structure.

While I first noticed the problem when working in Exchange, this is an AD problem.  Almost 6 weeks ago, I suddenly was unable to create a user account when trying to create an Exchange mailbox.  The error in Exchange was "Exchange couldn't find any usable connections to the Active Directory server DC1.domain."

In the System log on DC1, there were numerous Event ID 16642 error events from Directory-Services-SAM:
“The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.”  After finding very little about troubleshooting this error, I restarted DC1.  Once DC1 came back up, I was able to create user objects again.

Early last week, I experienced the same thing with the same errors.  I restarted DC1 again, and again I was able to create objects normally.

I was off last Friday, but received an email from a colleague that we were again unable to create user objects.  They restarted DC1 and were able to create users again.

I looked through the Event logs on DC1 and did NOT find the Event ID 16642 from Directory-Services-SAM.  I did not find anything in the Application or System log that looked like an explanation for this inability to create users on Friday morning. This time, I looked at the Directory Service log and saw error Event ID 1519 repeated many times: 
"Internal Error: Active Directory Domain Services could not perform an operation because the database has run out of version storage." 

I saw a Microsoft blog about version storage at "https://blogs.technet.microsoft.com/askds/2016/06/14/the-version-store-called-and-theyre-all-out-of-buckets/".  This blog discussed increasing the maximum size of the version store, but it related the need for this with information that would be found in error Event ID 623.  DC1's log does not contain Event 623.

Unfortunately, the Directory Service log went back only a few days, so I could nor look for what might have been in there during the time frame of the first two instances of being unable to create users.

Can anyone offer me any help with what I need to do to prevent this situation from recurring?

Thank you very much for your help with this.

Is Windows Server 2008 Directories Services failover transparently?

May 23, 2019, 6:22 pm
$
0
0
Hi experts,
  I need to patch a Windows Server 2008 for CVE-2019-0708(Remote Desktop Services Remote Code Execution Vulnerability).

Here is my problem. Is Windows Server 2008 Directories Services run like DNS services, that's to say,
If I shutdown one server, the active session/connection/transaction/application will automatically connect to another active server, so there is no planned downtime required.

Or is it like SQL Server AlwaysOn, that's to say, it runs in Active/Passive mode, If I shutdown one Primary replica, all active sessions will be terminated and reconnect to secondary replica after a few seconds. I HAVE TO schedule a planned downtime to install hotfixes.

Sorry, I thought about using google but I just could not figure out what keywords should I use.
Also, maybe this is more like a client-side/application-side question? Is it depend on client-side application, like SAP application servers or Visual Studio/dotNet application custom codes?

If possible, please show me a Microsoft official documents/links, thanks a lot.
PS: I try it before, it seems to failover transparently but I need to double confirm because our SAP runs 24/7 and minimize unexpected downtime is vital.

AD LDS - Create new application partition

May 21, 2019, 10:48 am
$
0
0

Hello!

I have two 2 AD LDS instances in one configuration set and I am trying to create a new application partition. I am following an MSDN article (unfortunately I can not provide the link here, I do not have enough karma) which describes this process for Active Directory. Now for the instance that was the first in the set all works perfectly but when I am trying to create another application partition on the second server (create a domainDNS object) it gives me "Unwilling to perform" error.

My guess is that it has something to do with the first server being Naming Master. In case of Active Directory the document says that we need to bind to the server where we would like to create a partition with the delegation option to "allow the domain controller to contact the Domain-Naming FSMO role holder". The problem is that I could not find such an option for the ldap_connect function which I am using to connect to AD LDS servers.

Any help would be great, thank you.

Search

Best Practices for AD Site configuration

May 21, 2019, 8:00 am
$
0
0
I have been trying to find a document from Microsoft for the Best Practices for AD Site configuration.  We have about 20 sites and multiple DCs at most of them.  A coworker wants to setup each DC in each site to replicate back to the DataCenter DCs.  In each site there is one DC set to replicate to the DataCenter then the other DCs in the site replicate from that.  From what I understand that this the correct configuration as it cuts down on replication traffic since only 1 dc in each site is doing intersite replication.

How to assign Admin Rights Only for their on Computers in Active Directory?

May 21, 2019, 5:10 am
$
0
0

Dear Team,

Here i need 2 Helps from everyone

1>How we can assign the computer to particular owner for configuring admin rights?

Example : PC-1 should be assigned to John

2> How to configure admin rights only for their particular computer by using Active Directory Group Policy?

Example : PC-1 is used by John , so john should have admin rights on his PC, if john trying to login in to PC-2 he should not have admin rights on that PC

Waiting for the response 

Regards,

Aghil


Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

Additional Domain Controller for DR site

April 21, 2019, 6:04 pm
$
0
0

Hi All,

I would like to seek for your assistance on our plan to add a domain controller for our DR site, May i know what are the requirements, pre-requisites and things i need to configure after promoting my domain controller? role of this additional domain controller is to replicate the primary domain controller. If possible please guide me in a step by step format. Thank you!

Also, Can i control/limit/schedule/transfer rate? Thanks!

Regards,
Pao

Active Directory Sites and Services Replication Problem

May 23, 2019, 11:22 pm
$
0
0

Good Day Sir / Ma'am

    I have a big problem with our AD. I came thru all the forums and yet  I have not solve our problem. Please refer below

     When I try to replicate now the ZAMECO2AD under the domain-server2 this happen

And when I try to replicated 693.... under the ZAMECO2AD this happen

Please help. It bugs me for almost two weeks. Thank you.. 

Domain Controller shows SID with its Name

May 16, 2019, 5:39 pm
$
0
0

I recently migrated all the domain controllers in a multi site environment to Server 2016. In one of the sites one domain controller shows its name with some kind of a code (I believe its SID). Now it doesn't allow me to transfer fsmo roles to new server using the new server name (STWN-AD03), See attached. In sits and services and /replsummary also shows the server name with same name. 

I hope you can help me find what caused it. Like I mentioned this domain has 3 sites and changes replicated throughout all sites.

I was thinking replication delays might have caused it while I'm upgrading, because after upgrading Site A, I didn't check all changes are replicated to other 2 sites before moving on to Site B. Any thoughts? 

How can I fix this? I there any way without going for a fresh server? (because we already migrated a payroll application to the new server)

 

Janindu Nanayakkara

ESENT Event 508 A Request to write to the file .... bytes succeeded, but took an abnormaly long ime

February 24, 2014, 1:22 am
$
0
0

Hi,

Hoping to get a few ideas on what might be the cause of this issue we are having.

Background

We have two hyper-v clusters running Server 2012R2.

Our AD environment is a mix of 2008R2 and one 2012R2 DC's.

We have both 2008R2 and 2012R2 DC's running virtualised on the Hyper-V clusters.

2008R2 DC is on a VHD disk.

2012R2 DC is on VHDX disk.

We have a number of other 2012R2 and 2008R2 servers on the clusters.

Issue

We have started seeing the above error being logged on the 2012R2 DC only. The 2008R2 DC's do not show this error at all.

Event ID: 508

Source: ESENT

Level: Warning

svchost (2568) A request to write to the file "C:\Windows\system32\LogFiles\Sum\Svc.log" at offset 2023424 (0x00000000001ee000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (15 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

lsass (628) A request to write to the file "\\?\Volume{538f044f-9c00-11e3-80c2-00155d1c0903}\Windows\NTDS\ntds.dit" at offset 31342592 (0x0000000001de4000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (15 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

Source: NTDS ISAM

NTDS (628) NTDSA: A request to write to the file "E:\Windows\NTDS\edb.log" at offset 1306624 (0x000000000013f000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (21 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

Event ID 509

Source: NTDS ISAM

NTDS (628) NTDSA: A request to read from the file "E:\Windows\NTDS\ntds.dit" at offset 243572736 (0x000000000e84a000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (21 seconds) to be serviced by the OS. In addition, 0 other I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 23679 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

Troubleshooting So Far

AV exceptions are in place for scanning

Backup (DPM 2012) disabled for testing

Moved 2012R2 DC to another virtual host

Moved 2012R2 DC to another storage server

The server is fully patched with all latest updates available from windows update.

Any assistance is appreciated.

Regards,

Denis Cooper

MCITP EA - MCT

Help keep the forums tidy, if this has helped please mark it as an answer

My Blog

LinkedIn:



Search

Domain Adding issue

May 21, 2019, 4:26 am
$
0
0

When  am adding a computer in our domain it shows an error like this "your computer could not be  the domain.you have  the maximum number of computer accounts you are allowed in this domain"

  can you resolve this??



Schema Mismatch

May 21, 2019, 5:51 am
$
0
0

i was migrating my 2 DCs from windows server 2008 R2 to windows server 2016 , and after i have promoted the first server windows server 2016 domain controller .

when i run repadmin /showrepl it gave me an error "The replication operation failed because of a schema mismatch between the servers involved 8418"0x20e2" .

i have tried to follow this article "https://support.microsoft.com/en-us/help/2734946/troubleshooting-ad-replication-error-8418-the-replication-operation-fa" but it did not help , so is there any suggestions ? 


Unexpected issue with GPO

May 24, 2019, 3:19 am
$
0
0

Hi,

I have created one GPO with some security settings suggested by our security team. The GPO contains only Computer Settings. I had to apply it to the OU with 80 computer accounts (Hyper-V servers). I have put those 80 computers in a Group and then add that group into the security filtering of that GPO. Then I linked that GPO to that specific OU, containing those servers. 

Everything goes well for almost 15 days.

Then I thought that since the settings needs to be implemented to all the computers in that OU, I have deleted the group from security filtering and add "Authenticated Users" in the security filtering.

Once the replication done, I have lost connection to ALL computers in the entire domain. All Hyper-V host was down and I was not able to connect to ANY computers, including the DC as it was also the VM. I have accessed the physical host and took the console of DC and unlink that GPO from that OU which fixed the issue.

Now my question is, what exactly went wrong? I have just changed the security filtering to "Authenticated Users" from computers accounts. Why it was working when Computer accounts were added in the security filtering and why it wend down after I have added the "Authenticated Users" account. Anyhow we had to apply that GPO to all the computers inside that OU. Also there was not any User related settings in that GPO. Can someone please help me understand this?

Thanks!

Nilabh Verma

Bridgehead server selection process

September 9, 2016, 1:41 am
$
0
0
If we have multiple domain controllers in the site and all the DCs are global catalogs, how bridgehead server will be chosen. What is the selection process of bridgehead server?

Active Directory Migration Tool ERROR

May 23, 2019, 7:41 am
$
0
0

Please help

I'm receiving this error during migrating this user to another AD

ERR2:7422 Failed to move source object 'CN=al'. hr=0x8007207d An attempt was made to modify an object to include an attribute that is not legal for its class.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>