Domain Controller Failed Test Advertising

May 20, 2019, 7:24 am

≪ Previous: 2008 to 2019

Hi Guys,

I have created a secondary (backup) domain controller and successfully managed to promote it. However, It doesn't contain netlogon directories. On running DCDIAG command, I get the following output.

Notes:

The current primary DC is running Windows Server 2003 with Server 2003 forest functional level. (Name - pdc, pdc.domain1.com)

My new server with errors is on Windows Server 2012 R2 (DC01, DC01.domain1.com)

-----------------------------------------------------------------------------------------

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.domain1>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = DC01
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC01
Starting test: Connectivity
......................... DC01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC01
Starting test: Advertising
Warning: DsGetDcName returned information for
\\pdc.domain1.com, when we were trying to reach DC01.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC01 failed test Advertising
Starting test: FrsEvent
......................... DC01 passed test FrsEvent
Starting test: DFSREvent
......................... DC01 passed test DFSREvent
Starting test: SysVolCheck
......................... DC01 passed test SysVolCheck
Starting test: KccEvent
......................... DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC01 passed test MachineAccount
Starting test: NCSecDesc
......................... DC01 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC01\netlogon)
[DC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DC01 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC01 passed test ObjectsReplicated
Starting test: Replications
......................... DC01 passed test Replications
Starting test: RidManager
......................... DC01 passed test RidManager
Starting test: Services
......................... DC01 passed test Services
Starting test: SystemLog
......................... DC01 passed test SystemLog
Starting test: VerifyReferences
......................... DC01 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : domain1
Starting test: CheckSDRefDom
......................... domain1 passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain1 passed test CrossRefValidation

Running enterprise tests on : domain1.com
Starting test: LocatorCheck
......................... domain1.com passed test LocatorCheck
Starting test: Intersite
......................... domain1.com passed test Intersite

Please assist.

↧

Upodating root certificate

May 26, 2019, 4:05 am

≫ Next: How to make LDAP SSL call using DsBrowseForContainerW API

≪ Previous: Domain Controller Failed Test Advertising

Hi all,

I have a Private certificate authority installed on domain controller of windows server 2008 R2.

This certificate authority is used to issue certificates for exchange 2010.

The root certificate is about to finish on 7/18/2019.

My concerns are what will happen to the issued exchange certificates When updating the The root certificate.

Keep in mind exchange certificate will expire on 18 July 2019 too

If I updated the root certificate now , what wil happened to the issued certificate of excgange 2010

In other words :

What is the appropriate sequence for updating the CA root certificate taking into account that exchange 2010 certificates hve to be valid and running .

↧

How to make LDAP SSL call using DsBrowseForContainerW API

May 24, 2019, 8:12 am

≫ Next: Active Directory Sites and Services Replication Problem

≪ Previous: Upodating root certificate

Hi,

I am using DsBrowseForContainerW( ) to load all container (OUs ) from given domain.

Internally Its using LDAP Non SSL call to read data from domain controller. But I want to use LDAP SSL communication to read data from Domain Controllers.

How can I achieve this?

case-1 : ADsPath = "LDAP://Domain100.Lab/DC=Domain100,DC=Lab" working fine and LDAP Non SSL calls

case-2 : ADsPath = "LDAP://dc12.Domain100.Lab:389/DC=Domain100,DC=Lab" working fine and LDAP Non SSL calls

case-2 : ADsPath = "LDAP://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab" NOT working fine

LDAP Non SSL port = 389

LDAP SSL Port = 636

Code :

DSBrowseInfo dsbi = new DSBrowseInfo();
dsbi.cbStruct = System.Runtime.InteropServices.Marshal.SizeOf(dsbi);
dsbi.pszCaption = caption;
dsbi.pszTitle = title;
dsbi.pszRoot = ldapPath;
dsbi.pszPath = sResult;
dsbi.cchPath = 1024;
dsbi.hwndOwner = hwnd;

if (user != null && user.Length > 0)
{
dsbi.pUserName = user;
dsbi.pPassword = password;
dsbi.dwFlags |= DSBI_HASCREDENTIALS;
}
int ret = DsBrowseForContainerW(ref dsbi);

In case-3, its giving error as unable to connect to domain with given user name and password.

Please help me to solve the issue. How can achieve LDAP SSL communication by using DsBrowseForContainerW() api.

Thanks & Regards

Prasad

↧

Active Directory Sites and Services Replication Problem

May 23, 2019, 11:22 pm

≫ Next: Hard disk error

≪ Previous: How to make LDAP SSL call using DsBrowseForContainerW API

Good Day Sir / Ma'am

I have a big problem with our AD. I came thru all the forums and yet I have not solve our problem. Please refer below

When I try to replicate now the ZAMECO2AD under the domain-server2 this happen

And when I try to replicated 693.... under the ZAMECO2AD this happen

Please help. It bugs me for almost two weeks. Thank you..

↧

Hard disk error

May 27, 2019, 2:22 am

≫ Next: Hide homePhone attribute in AD

≪ Previous: Active Directory Sites and Services Replication Problem

Hi all,

I'm promoting a server 2012 R2 Domain Controller. During the prerequisites check, it return error "Verification of prerequisites for Domain Controller promotion failed. The folder U:\windows\ntds does not refer to a valid hard disk. Select a folder on a hard disk drive".

If i set the path to C: drive it working juz fine. My U: drive is in NTFS format, attach from LUN. Is there any requirement in terms of HD type/format?

↧

Hide homePhone attribute in AD

May 27, 2019, 3:26 am

≫ Next: Restoring Deleted Active Directory Object

≪ Previous: Hard disk error

Hi,

I want to hide homephone attribute from AD. Is there any to do so as I am unable to do it via adsiedit.

↧

Restoring Deleted Active Directory Object

May 11, 2019, 10:29 am

≫ Next: Nitpicking 101: AD snapshot- correct way..

≪ Previous: Hide homePhone attribute in AD

Dear Support,

Can we restore Active Directory deleted object without restarting Domain Controller. If yes, Please share the details to perform the same.

OS : Windows Server 2008

R!t@$#

↧

Nitpicking 101: AD snapshot- correct way..

May 19, 2019, 6:20 am

≫ Next: Database cloning: Copy(as pre-seed) vs copy a database

≪ Previous: Restoring Deleted Active Directory Object

Hey,

In order to "snapshot" AD I go to cmd and use ntdsutil. When I read how to do it I see "2 schools" .

ntdsutil

activate instance ntds

snapshot

create

http://www.rebeladmin.com/wp-content/uploads/2015/02/snap8.png

https://blogs.technet.microsoft.com/niraj_kumar/2009/02/04/active-directory-snapshot-new-feature-in-windows-2008/

---------------------------------

ntdsutil

snapshot

activate instance ntds

create

https://social.technet.microsoft.com/wiki/contents/articles/28644.active-directory-snapshot.aspx

Both on Technet! Is there any difference between the two? Which one is a correct way. Most of the commands go only one way- thus me asking this question.

Thanks!

↧

Database cloning: Copy(as pre-seed) vs copy a database

May 27, 2019, 5:16 am

≫ Next: FSMOcheckFail

≪ Previous: Nitpicking 101: AD snapshot- correct way..

Hi,

I just have a simple question. In order to clone a database from SRV 1 toSRV2 we need to first export the database. Then there is a time to do bothpre-seeding of data plus copying the aforementioned database. Do I userobocopy in both situations? Then import database with powershell?

Thanks for the answer!

↧

FSMOcheckFail

May 26, 2019, 11:41 pm

≫ Next: Domain Trust between Server 2016 and 2008 R2 Domain

≪ Previous: Database cloning: Copy(as pre-seed) vs copy a database

Hello Everyone,

We are running one script for our Active directory health Check and in that health check we are getting most of the things fine but only one thing is showing fail as below.Can anyone help me about this why this is failing and what should we need to do to fix this issue.

↧

Domain Trust between Server 2016 and 2008 R2 Domain

August 10, 2018, 3:43 am

≫ Next: DFSR Database cloning: Copy(as pre-seed) vs copy a database

≪ Previous: FSMOcheckFail

I have been trying to setup a trust between a new 2016 AD domain and a existing 2008 R2 Domain (2008 R2 Functional Level Mix of 2008 R2 and 2012 Servers)

For some reason it is only letting me set up a realm trust and not a Trust for Windows domain.

Is this normal ? has anyone else experienced issue with creating a 2008 and 2016 trust?

The 2016 Domain is just 1 2016 AD domain controller as this is a new POC environment.

Dave

↧

DFSR Database cloning: Copy(as pre-seed) vs copy a database

May 27, 2019, 5:16 am

≫ Next: Active Directory: Recovering deleted objects vs groups

≪ Previous: Domain Trust between Server 2016 and 2008 R2 Domain

Hi,

Thanks for the answer!

↧

Active Directory: Recovering deleted objects vs groups

May 27, 2019, 6:26 am

≫ Next: Shared Folder Access only For Particular OU

≪ Previous: DFSR Database cloning: Copy(as pre-seed) vs copy a database

Hello,

My journey into IT waters was a little bit rough but I'm getting better and better every day. And often, the rabbit holes go not only so deep but there are labyrinths/mazes all over (sounds like some poet or so! :D). Can anybody explain to me the difference between recovering deleted objects (like 10 deleted accounts) versus group deletion(with 10 accounts)?

I understand there is a difference if Active Directory Recycle Bin is enabled (we can go to it and recover the deleted object quite fast - can we do it with groups???). If there is no ADRB at our disposal, there is this ntdsutil,authoritative restore (either object or ou). So what's the story with deletion of groups? Another possibility was so called "tombstone reanimation" but this one lack restoration of proper permissions if I'm not mistaken. Is there any article explaining the difference or could some IT whizz kid drop some clues right here???

Thanks!

========

"Unfortunately, no one can be…told what the Matrix is. You have to see it for yourself. This is your last chance. After this, there is no turning back. You take the blue pill , the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill , you stay in Wonderland, and I show you how deep the rabbit hole goes"Matrix

↧

Shared Folder Access only For Particular OU

May 19, 2019, 8:41 am

≫ Next: Cannot Delete Specific OU in AD

≪ Previous: Active Directory: Recovering deleted objects vs groups

Dear Team,

How We can configure shared folder access through GPO? Also i need to set the permission to the shared folder only for a particular Organization Unit (OU).

Regards

Aghil

↧

Cannot Delete Specific OU in AD

May 27, 2019, 8:22 am

≫ Next: Errors in DCDIAG

≪ Previous: Shared Folder Access only For Particular OU

I cannot delete one OU in AD. The button to delete the OU is greyed out in ADUC/ADAC.

I have done some investigation from my part already:

1) "Protect object from accidental deletion" box is unchecked.

2) Tried to delete using powershell:

PS C:\Users\myaccount.COMPANY> Remove-ADOrganizationalUnit "OU=Company Computers,DC=company,DC=pri"

Confirm
Are you sure you want to perform this action?
Performing the operation "Remove" on target "OU=Company Computers,DC=company,DC=pri".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Remove-ADOrganizationalUnit : The requested delete operation could not be performed
At line:1 char:1
+ Remove-ADOrganizationalUnit "OU=Company Computers,DC=company,DC=pri"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (OU=Company Computers,DC=company,DC=pri:ADOrganizationalUnit) [Remove-ADOrganizationalUnit], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8398,Microsoft.ActiveDirectory.Management.Commands.RemoveADOrganizationalUnit

3) Tried to delete it in Group Policy Management, get error "Access is denied".

So this really looks like permission issue, right?

Then I granted myself Full Control and there is not any DENY rule in ACL. I also verified from effective access, I have the full access!!!!!!!!!

What else can I do to fix this issue? Is this a bug?

↧

Errors in DCDIAG

May 27, 2019, 9:57 am

≫ Next: Unable to Register SPN manually

≪ Previous: Cannot Delete Specific OU in AD

Scenario:

Site A (Being Decommissioned):

Site B (New Data Center):

Issue:

After building out net new DC3 and DC4 into the domain, and having them joined to the domain and promoted to domain controllers, I have moved the PDC role off from DC2 to DC4; When about to shut down DC1 and DC2, we noticed that when they are shut down any PCs are not able to login to the domain when they are shut off. Long story short, DCDIAG showed a bunch of errors listed below:

DC1 - Failing dcdiag LocatorCheck PDC Error 1355
DC2 - Failing dcdiag LocatorCheck PDC Error 1355
DC3 - Failing Advertising, DSGetName returned info for DC1 when trying DC3
DC3 - NetLogons failing (Unable to connect to Netlogon Share \\DC3\netlogon, Error 67)
DC3 - Failing dcdiag LocatorCheck PDC Error 1355
DC4 - Failing Advertising, DSGetName returned info for DC2 when trying DC4
DC4 - NetLogons failing (Unable to connect to Netlogon Share \\DC4\netlogon, Error 67)

Any idea on what may be causing some of this and how to correct it so that I am able to properly decommission DC1 and DC2?

↧

Unable to Register SPN manually

January 29, 2016, 7:14 am

≫ Next: Interactive Log On, badPwdCount not correct

≪ Previous: Errors in DCDIAG

All, I am pulling my hair out trying to resolve this issue. Whenever I run setspn.exe regardless of preceding switch it fails with error

setspn -d http/service.domain domain\serviceaccount

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Unable to locate account serviceaccount

I have read through a lot of stuff and most of it related to SQL SPN which allows the option to self register. I am registering a http service. I tried setting SPN AD attribute editor ADM but not sure if that's the right way to do it.

Any help or idea would be greatly appreciated.

↧

Interactive Log On, badPwdCount not correct

May 27, 2019, 1:44 pm

≫ Next: Home Folders does NOT map on Initial Logon Using ADUC Settings

≪ Previous: Unable to Register SPN manually

Hello,

I've been scouring the internet without finding anything that is helping my situation. My problem is that it seems like some of our workstations on the interactive logon screen show an wrong number of failed logins when an empty password is used (this has nothing to do with n-1 or 2 passwords), some show the proper number, and others don't. I've checked the AD with a powershell script to see the actual number and the numbers I get coincide with what the failed login screen is saying. Has anyone run into this problem before? I'm stumped.

As an aside, has anyone used SmartCard with the interactive login and found that they actually do count the number of failed logins? I feel as though because the authentication happens on the smart card, they are likely never going to be counted and will always show no interactive failed attempts.

Thanks,

Brandon

↧

Home Folders does NOT map on Initial Logon Using ADUC Settings

May 18, 2019, 5:50 am

≫ Next: SID History Authentication With Disabled Target Account

≪ Previous: Interactive Log On, badPwdCount not correct

I do have Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon (enabled)

All switches have Portfast enabled

All GPO are processed fine.

On few users (same user on ANY different device) will not map home drive that is in profile

It just simply is not there. But "set" shows:

HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\server.domain.local\Stafffile\Users\UserInQuestion

So it should be there. But no matter what, it does not happen.

Only way I can do is Loopback GPO with GPP but there I can even specify %HOMESHARE% and it maps perfectly fine.

Been all over the Internet, trying to figure that one out, but simply can not

Maybe somebody has any idea?

Seb

↧

SID History Authentication With Disabled Target Account

September 1, 2015, 8:07 am

≫ Next: User profile Service

≪ Previous: Home Folders does NOT map on Initial Logon Using ADUC Settings

BACKGROUND:

Users migrated to new domain with the SID value of their old domain user account added to the SID History property on their new domain user account
Old domain still in use as file servers haven't migrated to new domain
Old domain user accounts still exist to provision access to old domain file servers
New domain and old domain user accounts are both enabled

GOAL:

Determine if disabling the old domain user accounts will cause the new domain accounts to be unable to access the old domain file servers.

THOUGHTS:

From TechNet article: "When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user — the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client and are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, can allow or deny the user access."

QUESTION:

If the old domain user account is disabled, will this disallow access to the group memberships of the disabled old domain user account and thereby make it so the new domain user account can't access resources on the old domain file servers?

↧