Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain Controller Failed Test Advertising

$
0
0

Hi Guys,

I have created a secondary (backup) domain controller and successfully managed to promote it. However, It doesn't contain netlogon directories. On running DCDIAG command, I get the following output.

Notes:

The current primary DC is running Windows Server 2003 with Server 2003 forest functional level. (Name - pdc, pdc.domain1.com)

My new server with errors is on Windows Server 2012 R2 (DC01, DC01.domain1.com)

-----------------------------------------------------------------------------------------

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.domain1>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\pdc.domain1.com, when we were trying to reach DC01.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... DC01 failed test Advertising
      Starting test: FrsEvent
         ......................... DC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC01 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DC01\netlogon)
         [DC01] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DC01 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC01 passed test Replications
      Starting test: RidManager
         ......................... DC01 passed test RidManager
      Starting test: Services
         ......................... DC01 passed test Services
      Starting test: SystemLog
         ......................... DC01 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain1
      Starting test: CheckSDRefDom
         ......................... domain1 passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain1 passed test CrossRefValidation

   Running enterprise tests on : domain1.com
      Starting test: LocatorCheck
         ......................... domain1.com passed test LocatorCheck
      Starting test: Intersite
         ......................... domain1.com passed test Intersite

Please assist.


Upodating root certificate

$
0
0

Hi all,

I have a Private certificate authority installed on domain controller of windows server 2008 R2.

This certificate authority is used to issue certificates for exchange 2010.

The root certificate is about to finish on 7/18/2019.

My concerns are what will happen to the issued exchange certificates When updating the The root certificate.

Keep in mind exchange certificate will expire  on 18 July 2019 too

If I updated the root certificate now , what wil happened to the issued certificate of excgange 2010

In other words :

What is the appropriate sequence for updating the CA root certificate taking into account that exchange 2010 certificates hve to be valid and running .

How to make LDAP SSL call using DsBrowseForContainerW API

$
0
0

Hi, 

I am using DsBrowseForContainerW( ) to load all container (OUs ) from given domain.

 Internally Its using LDAP Non SSL call to read data from domain controller. But I want to use LDAP SSL communication to read data  from Domain Controllers.

How can I achieve this?

case-1 : ADsPath  = "LDAP://Domain100.Lab/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:389/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab"   NOT working fine 

LDAP Non SSL port = 389

LDAP SSL Port = 636

Code :

DSBrowseInfo dsbi = new DSBrowseInfo();
dsbi.cbStruct = System.Runtime.InteropServices.Marshal.SizeOf(dsbi);
dsbi.pszCaption = caption;
dsbi.pszTitle = title;
dsbi.pszRoot =  ldapPath;
dsbi.pszPath = sResult;
dsbi.cchPath = 1024;
dsbi.hwndOwner = hwnd;

if (user != null && user.Length > 0)
{
dsbi.pUserName = user;
dsbi.pPassword = password;
dsbi.dwFlags |= DSBI_HASCREDENTIALS;
}
int ret = DsBrowseForContainerW(ref dsbi);

In case-3, its giving error as unable to connect to domain with given user name and password.

Please help me to solve the issue. How can achieve LDAP SSL communication by using DsBrowseForContainerW() api.

Thanks & Regards

Prasad


Active Directory Sites and Services Replication Problem

$
0
0

Good Day Sir / Ma'am

    I have a big problem with our AD. I came thru all the forums and yet  I have not solve our problem. Please refer below

     When I try to replicate now the ZAMECO2AD under the domain-server2 this happen

And when I try to replicated 693.... under the ZAMECO2AD this happen

Please help. It bugs me for almost two weeks. Thank you.. 

Hard disk error

$
0
0
Hi all,

I'm promoting a server 2012 R2 Domain Controller. During the prerequisites check, it return error "Verification of prerequisites for Domain Controller promotion failed. The folder U:\windows\ntds does not refer to a valid hard disk. Select a folder on a hard disk drive".

If i set the path to C: drive it working juz fine. My U: drive is in NTFS format, attach from LUN. Is there any requirement in terms of HD type/format?

Hide homePhone attribute in AD

$
0
0

Hi,

I want to hide homephone attribute from AD. Is there any to do so as I am unable to do it via adsiedit.

Restoring Deleted Active Directory Object

$
0
0

Dear Support,

Can we restore Active Directory deleted object without restarting Domain Controller. If yes, Please share the details to perform the same.

OS : Windows Server 2008


R!t@$#

Nitpicking 101: AD snapshot- correct way..

$
0
0

Hey,

In order to "snapshot" AD I go to cmd and use ntdsutil. When I read how to do it I see "2 schools" .

ntdsutil

activate instance ntds

snapshot 

create

http://www.rebeladmin.com/wp-content/uploads/2015/02/snap8.png

https://blogs.technet.microsoft.com/niraj_kumar/2009/02/04/active-directory-snapshot-new-feature-in-windows-2008/

---------------------------------

ntdsutil

snapshot 

activate instance ntds

create

https://social.technet.microsoft.com/wiki/contents/articles/28644.active-directory-snapshot.aspx

Both on Technet! Is there any difference between the two? Which one is a correct way. Most of the commands go only one way- thus me asking this question.

Thanks!


Database cloning: Copy(as pre-seed) vs copy a database

$
0
0

Hi,

I just have a simple question. In order to clone a database from SRV 1 toSRV2 we need to first export the database. Then there is a time to do bothpre-seeding of data plus copying the aforementioned database. Do I userobocopy in both situations? Then import database with powershell?

Thanks for the answer!

FSMOcheckFail

$
0
0

Hello Everyone,

 We are running one script for our Active directory health Check and in that health check we are getting most of the things fine but only one thing is showing fail as below.Can anyone help me about this why this is failing and what should we need to do to fix this issue.



Domain Trust between Server 2016 and 2008 R2 Domain

$
0
0

Hi

I have been trying to setup a trust between a new 2016 AD domain and a existing 2008 R2 Domain (2008 R2 Functional Level Mix of 2008 R2 and 2012 Servers)

For some reason it is only letting me set up a realm trust and not a Trust for Windows domain.

Is this normal ? has anyone else experienced issue with creating a 2008 and 2016 trust?

The 2016 Domain is just 1 2016 AD domain controller as this is a new POC environment.

Dave

DFSR Database cloning: Copy(as pre-seed) vs copy a database

$
0
0

Hi,

I just have a simple question. In order to clone a database from SRV 1 toSRV2 we need to first export the database. Then there is a time to do bothpre-seeding of data plus copying the aforementioned database. Do I userobocopy in both situations? Then import database with powershell?

Thanks for the answer!


Active Directory: Recovering deleted objects vs groups

$
0
0

Hello, 

My journey into IT waters was a little bit rough but I'm getting better and better every day. And often, the rabbit holes go not only so deep but there are labyrinths/mazes all over (sounds like some poet or so! :D). Can anybody explain to me the difference between recovering deleted objects (like 10 deleted accounts) versus group deletion(with 10 accounts)?

I understand there is a difference if Active Directory Recycle Bin is enabled (we can go to it and recover the deleted object quite fast - can we do it with groups???). If there is no ADRB at our disposal, there is this ntdsutil,authoritative restore (either object or ou). So what's the story with deletion of groups? Another possibility was so called "tombstone reanimation" but this one lack restoration of proper permissions if I'm not mistaken. Is there any article explaining the difference or could some IT whizz kid drop some clues right here???

Thanks! 

========

"Unfortunately, no one can be…told what the Matrix is. You have to see it for yourself. This is your last chance. After this, there is no turning back. You take the blue pill , the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill , you stay in Wonderland, and I show you how deep the rabbit hole goes"Matrix

Shared Folder Access only For Particular OU

$
0
0

Dear Team,

How We can configure shared folder access through GPO? Also i need to set the permission to the shared folder only for a particular Organization Unit (OU).

Regards

Aghil


Cannot Delete Specific OU in AD

$
0
0

I cannot delete one OU in AD. The button to delete the OU is greyed out in ADUC/ADAC.

I have done some investigation from my part already:

1) "Protect object from accidental deletion" box is unchecked.

2) Tried to delete using powershell:

PS C:\Users\myaccount.COMPANY> Remove-ADOrganizationalUnit "OU=Company Computers,DC=company,DC=pri"

Confirm
Are you sure you want to perform this action?
Performing the operation "Remove" on target "OU=Company Computers,DC=company,DC=pri".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Remove-ADOrganizationalUnit : The requested delete operation could not be performed
At line:1 char:1
+ Remove-ADOrganizationalUnit "OU=Company Computers,DC=company,DC=pri"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (OU=Company Computers,DC=company,DC=pri:ADOrganizationalUnit) [Remove-ADOrganizationalUnit], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8398,Microsoft.ActiveDirectory.Management.Commands.RemoveADOrganizationalUnit

3) Tried to delete it in Group Policy Management, get error "Access is denied".

So this really looks like permission issue, right?

Then I granted myself Full Control and there is not any DENY rule in ACL. I also verified from effective access, I have the full access!!!!!!!!!

What else can I do to fix this issue? Is this a bug?


Errors in DCDIAG

$
0
0

Scenario:

Site A (Being Decommissioned):

  • DC1
  • DC2

Site B (New Data Center):

  • DC3
  • DC4

Issue:

After building out net new DC3 and DC4 into the domain, and having them joined to the domain and promoted to domain controllers, I have moved the PDC role off from DC2 to DC4; When about to shut down DC1 and DC2, we noticed that when they are shut down any PCs are not able to login to the domain when they are shut off. Long story short, DCDIAG showed a bunch of errors listed below:

  • DC1 - Failing dcdiag LocatorCheck PDC Error 1355
  • DC2 - Failing dcdiag LocatorCheck PDC Error 1355
  • DC3 - Failing Advertising, DSGetName returned info for DC1 when trying DC3
  • DC3 - NetLogons failing (Unable to connect to Netlogon Share \\DC3\netlogon, Error 67)
  • DC3 - Failing dcdiag LocatorCheck PDC Error 1355
  • DC4 - Failing Advertising, DSGetName returned info for DC2 when trying DC4
  • DC4 - NetLogons failing (Unable to connect to Netlogon Share \\DC4\netlogon, Error 67)

Any idea on what may be causing some of this and how to correct it so that I am able to properly decommission DC1 and DC2?

Unable to Register SPN manually

$
0
0

All, I am pulling my hair out trying to resolve this issue. Whenever I run setspn.exe regardless of preceding switch it fails with error

setspn -d http/service.domain domain\serviceaccount

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Unable to locate account serviceaccount

I have read through a lot of stuff and most of it related to SQL SPN which allows the option to self register. I am registering a http service. I tried setting SPN AD attribute editor ADM but not sure if that's the right way to do it. 

Any help or idea would be greatly appreciated.

 

Interactive Log On, badPwdCount not correct

$
0
0

Hello,

I've been scouring the internet without finding anything that is helping my situation. My problem is that it seems like some of our workstations on the interactive logon screen show an wrong number of failed logins when an empty password is used (this has nothing to do with n-1 or 2 passwords), some show the proper number, and others don't. I've checked the AD with a powershell script to see the actual number and the numbers I get coincide with what the failed login screen is saying. Has anyone run into this problem before? I'm stumped.

As an aside, has anyone used SmartCard with the interactive login and found that they actually do count the number of failed logins? I feel as though because the authentication happens on the smart card, they are likely never going to be counted and will always show no interactive failed attempts.

Thanks,

Brandon

Home Folders does NOT map on Initial Logon Using ADUC Settings

$
0
0

I do have Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon (enabled)

All switches have Portfast enabled

All GPO are processed fine.

On few users (same user on ANY different device) will not map home drive that is in profile

It just simply is not there. But "set" shows:

HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\server.domain.local\Stafffile\Users\UserInQuestion

So it should be there. But no matter what, it does not happen.

Only way I can do is Loopback GPO with GPP but there I can even specify %HOMESHARE% and it maps perfectly fine.

Been all over the Internet, trying to figure that one out, but simply can not

Maybe somebody has any idea?

Seb

SID History Authentication With Disabled Target Account

$
0
0

BACKGROUND:

  • Users migrated to new domain with the SID value of their old domain user account added to the SID History property on their new domain user account
  • Old domain still in use as file servers haven't migrated to new domain
  • Old domain user accounts still exist to provision access to old domain file servers
  • New domain and old domain user accounts are both enabled

GOAL:

Determine if disabling the old domain user accounts will cause the new domain accounts to be unable to access the old domain file servers.

THOUGHTS:

From TechNet article: "When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user — the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client and are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, can allow or deny the user access."

QUESTION:

If the old domain user account is disabled, will this disallow access to the group memberships of the disabled old domain user account and thereby make it so the new domain user account can't access resources on the old domain file servers?

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>