Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ldap_add_ext_sW error 0c44(68 (Already Exists).

June 4, 2019, 1:58 pm
$
0
0

I'm trying to create an OU using the command prompt.

I am running the following command in ntdsutil partition management:

create nc DC=xxx,DC=xxx,DC=xx NULL

It gives me the error:

ldap_add_ext_sW error 0c44(68 (Already Exists).

When I check the partitions in ADSI Edit, I don't see the partition there. So I can't delete it because it's not there, but I can't create it because the system is saying it already exist.

Has anyone run into this issue before? Any ideas on how I can get this OU created? I have to create this specific OU for one of our programs to work.

Running on Windows Server 2012 R2

Thanks,

Search

Domain functional level upgrade

June 12, 2019, 2:31 am
$
0
0

Hello All,

We are planning to upgrade DFL from 2003 to 2012R2 

We are single forest and single domain, all our DC are 2012 R2.

Could any one tell us what precautions we need to take care off pro actively

we have lots of applicaiton which are authenticating using our Domain controller.

regards

Aamir Masthan

NA

Problem with secondary DC

June 10, 2019, 3:07 am
$
0
0

Hi to all

In our domain we have 2 DC servers. Windows Server 2003 R2

The second one is also a file server.....

Today when i came in my office a hear a lot of complains from some of our user that is unable to open the map drive of our file server. When i see that i was unable to login in our Pri DC i make a check and i see the server is off. After i power on the server everything works as expected.

I would like to know why the second DC does not authenticate the user.

The current configuration is very old and i don't know a lot of things from 2003 Servers.

Please help me to find a solution with as details as possible.

Thanks and regards.

Additional Domain Controller doesn't work when pdc is turned off

June 8, 2019, 11:50 pm
$
0
0

Hi there

Please kindly advice me,I have two domain controller in my network,one pdc and one additional.

Both of them are GC,replication  is established without any error,but when I turn off pdc ,my additional domain controller doesn't work,doesn't authenticate users,exchange doesn't work and ...

Please advice me how I can resolve this problem.

Best Regards

Masoud

I can't figure out how to replicate between two servers in different domains?

June 3, 2019, 6:23 am
$
0
0

Hello,

I posted originally in the Hyper-V section but it was suggested the question was a kerberos problem so I should post here.

i've done replications between servers all the time - sometimes they aren't on the same subnet with a vpn tunnel between them but never between two domains - first time - not sure if there is something different I need to do.

I have two servers each host running 2016 (and all guest VMs are 2016).   I have set up a trust between the two and conditional forwarders.  I can ping each server by name.

I have the hyperV settings set for kerberos.   I've disabled all firewalls on both servers - there are NO firewall policies, rules, or anything else between the two domains.    All firewalls are disabled.

When I set up a replication from one host to other using kerberos, I get these two messages

event 3200 Hyper-V failed to enable replication for virtual machine 'Test': A connection with the server could not be established (0x00002EFD). (Virtual machine ID 71EFDF26-BD0D-4C85-81FB-6C6918AA036E)

THis is the setting on the server I'm replicating from - 

Not sure if that ! about configuration details is the source of the issue.

These are settings on the server I'm replicating to - 

event 29230 Hyper-V cannot connect to the specified Replica server 'HOST1'. Error: A connection with the server could not be established (0x00002EFD). Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.

No windows firewall on either server.  There is no additional antivirus/firewall and the windows firewall is disabled in services as well as through the gui.  There is a VPN tunnel between the two but no filtering or policies - wide open.

Both servers can resolve to each other by name to the right IP- I don't have to include the domain for them to resolve. When I do I still get that error when try to replicate.

The two errors I get are -  (there are no other errors on either host)

3200 Hyper-V failed to enable replication for virtual machine 'Test': A connection with the server could not be established (0x00002EFD). (Virtual machine ID 71EFDF26-BD0D-4C85-81FB-6C6918AA036E)

event 29230 Hyper-V cannot connect to the specified Replica server 'HOST1'. Error: A connection with the server could not be established (0x00002EFD). Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.



Active Directory with Multiple Sites

June 4, 2019, 4:16 am
$
0
0

Hi All, 

We have around 8 AD servers along with 4 multiple AD sites running 2008 server. More Than 4500 users with multiple subnets. 

All the AD servers are running some application and services like DNS, DHCP, ADFS, Attendance file system, Ad Audit Plus.. etc. 

Active Directory is synced with cloud. Currently we are facing a lot of issues like replication, authentication issue, downtime issue, application down issues.. etc.

In our concern kindly clarify and explain below: 

1. Best practices for AD with multiple sites along with DNS, DHCP services and applications.

2. Whether we can implement with old servers or we need to migrate the servers from old to new. 

3. How to avoid AD Replication and user authentication latency issues.

4. Ho do we overcome application latency issues and downtime issue. 

5. How do we set Site and services topology for multiple site replication. 

6. Is it enough Additional Domain Controller or we needing Child Domain. 

7. Is it the better choice rather branch offices in RODC servers.

8. Best Practices for Active Directory Infra. 

9. How do we set FSMO roles along with multiple sites.

10. Domain Controllers capacity for users. 

Thanks,

Leenas



Should cross forest clients be authenticating against my domain controller

June 8, 2019, 11:59 am
$
0
0

We have a forest trust between A and B.

Clients in A have accounts in B and access resources in B using those accounts.

Nothing has been granted to B to access A.

Our PDC is logging No_Client_Site authentications for all kinds of clients from B.  I checked the security log and couldn't match any audit success or failure to the Netlogon.log entries.  So I'm unclear why these clients would even be touching my domain controller.  Is this normal?

Thanks!

Domain controllers won't allow login at console if network is connected. Serious head scratcher.

June 4, 2019, 2:34 pm
$
0
0

This is a strange one.  It keeps happening... 

I have a total of 8 Domain controllers,  this only happens to one specific site and one specific child domain.

Server 2012r2 and Server 2016. forest level of 2008r2 

the DC will be working fine, handling all requests etc.   However when you reboot,  you can no longer log in to console. 

This is happening on physical and virtual machines. 

If I disable the vm's nic in VMware, start the machine up with out being connected to the network, I can log in.  Then I turn the nic back on.

The other symptoms are when the machine reboots it uses all ram assigned to the VM if it is going to fail. 

It will get to 'waiting for ADDS', then reboot again. 

When it does come up, I can enter my password (or any password) and it won't allow me in. 

I disconnect the nic, reboot, it allows me to log in and turn the nic back on. 

Some of the things I'm seeing in event viewer

The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession).

Search

The default value for the NetBIOS domain name is already being used, one alternative has been suggested.

June 12, 2019, 3:14 am
$
0
0
I'm setting up a couple of new virtual Server 2016 machines. I don't want to migrate AD from the existing 2008 r2 network, so I started out fresh. One of the reasons for a fresh start is the current AD domain name: "koppesbouwkunde.lan". I'ts highly recommended to use the 'real' domain name in AD; in our case "koppesbouwkunde.nl". No problem, except for NetBIOS. When I run Server manager to upgrade one of the servers to be a domain controller, it complains there's already a domain name"koppesbouwkunde", which is correct - that's the old domain. Now I specified a alternative name for NetBIOS, but I wonder what havoc this will wreak?

Simon Weel

Find identity of local group

June 11, 2019, 3:07 pm
$
0
0

How do I get identifying information about a Window Server local group?

Background.  We have installed Machine Learning Services for SQL Server 2017.  When you do, it creates a local group called "SQLRUserGroup".  This will create a service called LaunchPad that will spin up python or r sessions with an identify of MSSQLSERVER?? (numbered) which are members of the SQLRUserGroup.  We set up the login and permissions for the SQLRUserGroup on SQL Server and the process ran.

Getting closer to my question.  We did something (I'm not sure what, upgraded Python packages, reinstalled the Machine Learning Services).  At that point SQL Server no longer recognized the MSSQLSERVER?? logins as valid logins.

What I did to fix the problem was to drop the SQLRUserGroup login in SQL Server that we had created and recreated it.  Python worked great.

My theory is that the upgrade/reinstall created a new SQLRUserGroup local group that had a different internal id from the one that worked before the upgrade/reinstall.  I would have expected that the SQLRUserGroup would have a different internal id that would cause our loads to fail.

Here is where I am puzzled.  Before I dropped the SQLRUserGroup login, I recorded the SID that SQL Server recorded for that windows group.  After I created the SQLRUserGroup login I recorded the SID again and it was the same as it was before recreating the SQLRUserGroup login.

So, back to my question.  Is there some means (cmd line, PowerShell, gui, registry setting) that I can use to find out the actual internal identify of a Windows Local group?

Russel Loski, MCSE Data Platform/Business Intelligence Twitter: @sqlmovers; blog: www.sqlmovers.com

AD Design and Recommendation

June 12, 2019, 4:20 am
$
0
0

Hi,

We have several DC's (WS 2016 with ADDS and DNS Installed) running on several different sites and I have to prepare a rationalization document. 

So any suggestion how can i rationalize also i do have the AD site topology diagram.

Please help me on this to prepare and compare accordingly so that i can give the recommendation.

Thanks,

Roshan Kumar

Change domain Name

June 12, 2019, 6:31 am
$
0
0
i have a complex configuration as following

two domains ( xxxx.net and the other one is xxxx.edu,kw ) the AD domain name is xxxx.net and i've exchange 2013 with it, in order to migrate to O365 i've added the other domain as alternative xxxx.edu.kw  and configure the DNS so now all the mailboxes are in the cloud ( xxxx.net and xxx.edu.kw ) and has the same mailbox synced with the ADconnect, now they need to cancel xxxx.net at all and keep only xxx.edu.kw

what i did is i created a new AD with the new domain name xxx.edu.kw and move all the users and groups using ADMT.

my question do i install a new exchange server with the new domain and then install a new ADconnect or what's the best solution for this ?

Active Directory: Recovering deleted objects vs groups

May 27, 2019, 6:26 am
$
0
0

Hello, 

My journey into IT waters was a little bit rough but I'm getting better and better every day. And often, the rabbit holes go not only so deep but there are labyrinths/mazes all over (sounds like some poet or so! :D). Can anybody explain to me the difference between recovering deleted objects (like 10 deleted accounts) versus group deletion(with 10 accounts)?

I understand there is a difference if Active Directory Recycle Bin is enabled (we can go to it and recover the deleted object quite fast - can we do it with groups???). If there is no ADRB at our disposal, there is this ntdsutil,authoritative restore (either object or ou). So what's the story with deletion of groups? Another possibility was so called "tombstone reanimation" but this one lack restoration of proper permissions if I'm not mistaken. Is there any article explaining the difference or could some IT whizz kid drop some clues right here???

Thanks! 

========

"Unfortunately, no one can be…told what the Matrix is. You have to see it for yourself. This is your last chance. After this, there is no turning back. You take the blue pill , the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill , you stay in Wonderland, and I show you how deep the rabbit hole goes"Matrix

Unable to Promote Secondary DC

June 11, 2019, 2:14 pm
$
0
0

When running the Post-deployment Configuration Wizard I am getting stuck on the following process:

"Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC ..."

The account that I used to Promote the Primary DC was causing an error last week and I deleted the servicePrincipalName information from attribute editor from this account by mistake. I am guessing that this may be the cause for this problem. Is there a way to either fix this account or make it possible to use another account to complete this Promotion process. 

PDC is Windows Server 2012 r2 as is the new server I am trying to promote. 

AD not trust samba after user logon on other computer

June 10, 2019, 10:56 am
$
0
0

Hello,

linux users use Active Directory for authentication and use samba server to get own profile.

1. User enter AD credentials on Linux-PC-01

2. AD approving and allow enter to computer. User getting kerberos ticket.

3. Then on this PC internal service try connect to  samba and ask access to profile

4. Samba validate user through AD

5. AD approve and user start mount and copy profile

The problem begins i user logon on other computer Linux-PC-02. He pass authentication successful (steps 1-3), then try mount profile. Samba ask AD and ADSOME TIME answer, - "Do not trust for this user". As a result samba deny access to profile, and user have local (temp) profile.

After few hours, if re-try mount profile the problem is not arises.

P.S. In organization two domains, in each domain own samba and client. In A domain there no problems, but in new domain B the problem is present. Some thin options  are present in "A" AD domain (previous administrator configure it), but this options are lost in "B" domain.

Search

Domain/Forest Functional Level for 2016 is missing

June 12, 2019, 2:16 pm
$
0
0

I have two domain controllers, both Server 2016. The domain functional level was still at 2003, and I wanted to raise it up to 2016.  I noticed that the options to raise it did not include 2016.  After "Windows Server 2012 R2" my next option was "Windows Server".

I read that I should step up to 2008/2012 before going to 2016.  So I raised the domain and forest level to 2012, hoping that would clear up the missing 2016 on the last option.  Unfortunately it did not.  I am running smoothly on functional level 2012, but only have two options when attempting to raise it further: "Windows Server 2012 R2" and "Windows Server".

What is the best/safest way for me to proceed?  Is there any repair that should be made so this properly displays "Windows Server 2016"?  Is it safe to raise the domain/forest level to "Windows Server"?

Thank you for any advice you have!!

The Host record for the local computer cannot be found in the DNS

June 7, 2019, 1:43 am
$
0
0

Dear Forum,

we have the problem with our dns server, when we  joined computer client to domain. i found that the client not register host record itself . we can't see host record (A ) record on DNS server. what's the problem with our DNS server? i'm looking for help for this problem. thanks Advance.


Why do I need a secure-pipes connection to use Kerberos authentication to a DC

June 2, 2019, 10:09 am
$
0
0

Can someone please help me with the following as I have never found an answer to this question

As far as I know/have heard/read etc.

In a Windows Active Directory Domain environment, if I (the user) want to authenticate to a domain controller (logon) using Kerberos then the computer I am login in from must be domain joined. In other words the computer has to already share a secure (symmetric key/computer account password) with the DC in order that the computer authenticates in the first instance with the DC, and sets up a secure channel over which data can be encrypted to/from the computer and DC (leave Kerberos armoring to one side a moment as not relevant to my question).

So the computer has a secure connection to the DC (which I believe most people refer to as a secure-pipes connection, due to the pipes protocol).

The thing is I do not see why this secure connection is require for a user to perform Kerberos authentication to a DC for the (e.g. from a standalone workstation) following reason 

As long as the DC/KDC know the users long term key (password hash) e.g. entered by an Admin when the user was created, and the user know to password too. The the usual Kerberos Pre-authentication (encrypt time stamp with hash) can take place between the user and the DC (along with the rest of the Kerberos handshake protocol exchange). For example a TGT along with a session key can be delivered to the user (session key encrypted using user password has as the key). etc....

So why on earth does it state everywhere I have come across this you need an existing secure connection (domain joined) computer before the user can use kerberos to authenticate themselves?

I would appreciate it if someone could explain (what I am missing, if anything), and if I am pointed to a URL please make it one with the answer in it to this specific question rather than a general discussion on Kerberos

Thanks very much everyone 

CXMelga

Cannot delegate permission to move user object from OU to its subOU

May 31, 2019, 12:49 am
$
0
0

Hello,

like I said in a title, I am trying to delegate permission for moving user object to its subOUs.

I have spent lots of time doing research and tests on this topic and almost all of the answers says that I need to to the following:

Source OU:

- This object only - Delete User Objects

- Descendant User objects - Write Distinguished Name, Write Name, Write name

Destination OU:

- This object only - Create User objects

All permissions are delegated to the test group.

But the thing is that in doesn't work. While trying to move the test user I get an "Access denied" error.

Is there anything I can do more to make it work? I would like to keep it as simple and as minimal as possible.

Merge existing on prem Active Directory to existing office 365 environment

June 7, 2019, 7:14 am
$
0
0

We currently have an On premises Active Directory with close to 500 users as well as a separate office 365 account that contains as many users as well as distribution lists, public folders, and shared mailboxes. When creating a new user, we have to create an ad account and then create the user in office 365. Both systems have 2 different passwords for the user as they are running completely separate from each other.

The question is simply how can I merge these two systems so that

1. when I create an account in active directory, it creates the office 365 account.

2. Links the current AD user to it's respective office 365 account.

3. The account uses the AD password for both computer logins and email

4. When the users accounts are synced, I do not loose the distribution lists and security groups within office 365.

and finally as our company is in the medical field can I set up a test environment using our existing ad and office 365 information to simulate the merging and ensure it works before actually committing to this merging. 

thanks

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>