Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

upgrading window 2003 to 2008r2 domain controller serious issue

November 7, 2012, 1:59 am
$
0
0

AOA

   in my company we have one primary domain controller running on window 2003 (32 bit) . recently we have bought HP new G 7 server and we wanted to shift domain controllers functions to new server . i made that server as backup domain controller then shifted all FSMO which is working fine . The problem is when i turn off my old 2003 server all the naming information on 2008r2 are lost and nothing appears in active directory users and domain. my DNS is configured correctly on both these servers.

please help me to sort this issue because it is creating lot of problems for me.

Search

File Replication & Hostname Mapping Problem

November 6, 2012, 2:36 pm
$
0
0

hi all,

firstly sorry my grammer, we have big problem how to solve it i don't know.

we have 9 domain controllers ( two controller central (master), and 7 controller (additional) dc ower the wan located (edge offices)).

OS : Windows 2008 R2 Std SP1.

Our 2 dc's can't replicate to master dc's . i have found the problem but how to solve this?

Master dc's, map to both servers with ip address ( net use x: \\10.XX.XXX.XXX\c$ ) but when  i wanted to test with hostname ( net use x:\\servername\c$  ) can't map getting the error ( system error 64 has occurred ). 

I have checked nslookup and all dns records as normal, i have found the temporarly solution;  when i rebooted the master dc's, getting the normal and and map to hostname and success the replication...

Note: When the problem occurred; both dc's, can't replicate to master dc's... after rebooted master dc's return to normal.

how to find the solution why ip accessed for all sharings and why can't access with hostname to all shares...  

Server 2003 LDAP event 1219 error

November 7, 2012, 12:44 am
$
0
0

Hi recently one of our HYPERV servers locked up, this host some of our DCs windows 2003 servers, after getting the HYPERV back online and restarting the Virtual servers I am getting this event 1219 logged and the message body say`s

Active Directory was unable to initialize simple bind authentication.

 

As a result, simple bind authentication against this LDAP interface will result in binding as an unauthenticated user.

We use a moodle VLE and that authenticates via LDAP , which seems to gone off line when the servers crashed? anyone got any ideas where to start trouble shooting this error?

Thanks

A new AD checklist

November 6, 2012, 5:10 am
$
0
0
If you were asked to independantly review the design and implementation of a new active directory, what specific areas would you focus on from a risk perspective? Could you provide perhaps the more critical checks, or a top 10 essentials, and how youd go about testing them. This can be from a hands on testing perspective, or to a request for evidence of testing performed by the implementation team.

MaxPageSize is set to 0

November 5, 2012, 9:53 pm
$
0
0

Hi,

We've noticed that our DCs have a 0 value for MaxPageSize (ldap policy) and have no idea why it was set to that. We tried changing this value to 0 in another DC (and in a different forest) but ntdsutil will not allow it. It just returns 'No Changes to Commit.' when we run 'set MaxPageSize to 0' then commit the changes.

Any idea how it was changed?

Thanks,

Xy

Troubleshooting dcdiag error and dhcp

November 7, 2012, 5:43 am
$
0
0

Hi,

we are facing multiple errors and any advice to further troubleshoot them is highly appreciated.

We have a forest level of 2003 and 2 DC's Windows 2008R2 + WDS / DHCP Server 2008R2 in one VLAN and 2 DC's Windows 2003 and Windows 2008 in another VLAN. On the Windows 2008 servers the KB 92985 to remove IPv6 was run. We have troubles with some applications which we were able to pinpoint to ipv6. Therefor we wanted to make sure that ipv6 is not used in our environment.

I believe that the problems started after this kb was run but it could be a network problem as well as several network devices were changed. But I just don't know what else I could do to find out the real problem. Just for information working with the network guys to troubleshoot this isn't going to work.

Problems:

1) dcdiag (now this is a translation as we have german AD): 

Starting test: SystemLog

 * The System Event log test

 The event protocol on server < AD servername > cannot be querried. Error 0x6ba "The RPC Server is unavailable."

 .........................<AD servername > has not passed Test SystemLog.

2) In addition our PXE and DHCP environment isn't working anymore. No name resolution and no pxe boot is the other problem I have.

What works:

servers with static IPs don't have problems and AD replication works as well.

Any ideas what I could do to find out the real problem? Maybe it is just a network problem and doesn't have anything to do with the KB that was run but as I cannot pinpoint the problem right now I don't know how to go on troubleshooting it. Again any ideas are highly appreciated.

In addition if any of you know of a good how to or an articel how to remove ipv6 from windows server 2008r2 without destroying it - that would be a great help as well.

hiding/masking or renaming domain name that users see

November 7, 2012, 6:06 am
$
0
0

hi,

scenario: company A and company B merge. company A has the better infrastructure and the plan is to merge/consolidate B into A but management would like a new combined domain name 'AB' but it's costly to build new infrastructure.

Is there a way to retain the domain name of company A but all users would only ever see the masked domain name 'AB' at login/authentication etc..

So the oringal domain name will not change but users think it has changed.

Can adding a UPN suffix resolve this?

Thanks

Windows 7 Roaming Profiles take a LONG time after first logon

November 6, 2012, 3:37 pm
$
0
0

I'm having a VERY bizarre case of long logon times for a new branch office running Windows 7 64-bit professional, domain environment, 2008R2 local server (gigabit connectivity). Here's the symptoms:

1. User with no pre-created roaming profile logs in the first time...works great!
2. User then logs off the PC (start - logoff), screen hangs at "please wait for user profile service" for 2-3 minutes before completing logoff.
3. All subsequent attempts to log on / off take 2-3 minutes hanging at the "please wait for user profile service" screen.

The network connections are all very fast...grabbed a packet capture of a good logon (#1 above) and a bad log off (#2 above). It appears as though it's just writing nonsense for a LONG time. The profile size is 6 MB...

I'm attaching a screencap of the packet capture. This is 18,127 packets of this type of information just from this single user. Log off time went to 166 seconds for this capture.

Please help!

Search

ktpass keytab creation and multiple SPNs

November 6, 2012, 1:42 pm
$
0
0

I have a client using an IBM product that requires a keytab file to be created for an account userx, so the account can use kerberos authentication.  This account has a SPN of HTTP/website.domain.com@DOMAIN.COM.  It is easy enough to create a keytab file for this by doing the following:

ktpass -out file.keytab -princ HTTP/website.domain.com@DOMAIN.COM -mapuser domain\userx -pass abc.123 -ptype KRB5_NT_PRINCIPAL

This will create a keytab file that the IBM application can use.  However, now this client is asking for multiple SPNs to be added to the userx account.  He wants HTTP/website1.domain.com@DOMAIN.COM and HTTP/website2.domain.com@DOMAIN.COM to be added to the userx account.  This is easy enough to do, and a  setspn -l userx command will return:

Registered ServicePrincipalNames for <DN of user>:
HTTP/website.domain.com@DOMAIN.COM
HTTP/website1.domain.com@DOMAIN.COM
HTTP/website2.domain.com@DOMAIN.COM

So all 3 of the SPNs are showing up, but I have a problem. 

First, I didn't think that you could have multiple SPNs for the same service type (in this case HTTP) on a single account.

Secondly, even if multiple SPNs are allowed for the same service type, how do you generate a keytab file?  You have to designate a single principle name during the keytab creation. 

Thanks for any help.



Domain Controller Starts before LAN = problems. Why?

July 10, 2012, 2:03 pm
$
0
0

Windows DC Experts...

I have a set of Windows 2008 R2 DCs at branch sites.   Each site has one server, a DC.  When a site suffers a power outage, UPS outage, anything that takes down the lan and domain controller, both systems start back up...the DC comes online and doesn't get a network link yet, as the switch is still going through post...then the DC throws a bunch of errors in the event log about not being able to contact the domain, unable to start DNS, DFS connection issues, can't get authentication for DHCP, etc...once that settles down, the switch comes online and the server gets a link....where it sits there indefinitely.  Even though it's now on the lan, workstations can't get IP addresses, get to mapped dfs paths, etc....it's a real ball of fun...it can sit for hours and never get back on track.  It has dns services, and the dns is set to point to its own IP and one of the centralized DCs over the wan link.  After a reboot, everything starts up fine.  However, in the meantime, the office of people are all rebooting in a panic and all have unassigned 169.x.x.x addresses on their Windows 7 machines.  It's a perfect picture of the the typical IT Monday morning.

Short of physical power tricks...is there anything I could do, to delay some of these service startups until the link is up, or is there something that should be retrying this connection in order to get the services 'healed' and back in a usable state (dns/dfs/dhcp)?

Pete

AD 2008 Allow LDAP Auth via Email address

November 6, 2012, 6:34 am
$
0
0
AD 2008 Allow LDAP Auth via Email address

Setting up Gwava Spam Server, it needs to authenticate to LDAP with email address and password.  I can test this fine with username and password, how can i either set something in AD to allow this?  Alternately i could try to query LDAP search context to look at the "mail" attribute so far this hasn't worked for me however.

Any ideas would be helpful.
Thanks in Advance.

Dana Bessey IT Manager MCSE, MCPS, MCNPS H.E. Murdock Co. Inc dba Day's Jewelers 88 Main Street Waterville, ME 04901 (207) 873-7036 Be Sure to visit us at www.daysjewelers.com

How to setup additional domain controller in different places or realization

November 7, 2012, 6:15 am
$
0
0

Hi Guise,

We have Active Directory server(Forest) in Ireland. We want to create an additional controller in Singapore server

 

How to have a connectivity between two servers or Zone?

please share the information or the link.

Srinivasan.B

i am not able to replicate a DC on a site because it does not have the updated password for the admin account

November 7, 2012, 6:19 am
$
0
0

i am not able to replicate a DC on a site because it does not have the updated password for the admin account

so they only wat for me to access the DC is by using the old password for a current user account

if i use my current password it doesn't work

so i need to remove this dc but it is failing

dcdiag result

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SHAYBAH-ISF
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SHAYBAH-ISF\SHAYBAH-ISF
      Starting test: Connectivity
         The host 0b912867-2f7e-4506-8656-4a645fb4cf20._msdcs.Almojilgroup.com
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SHAYBAH-ISF failed test Connectivity

Doing primary tests

   Testing server: SHAYBAH-ISF\SHAYBAH-ISF
      Skipping all tests, because server SHAYBAH-ISF is not responding to
      directory service requests.


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : Almojilgroup
      Starting test: CheckSDRefDom
         ......................... Almojilgroup passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Almojilgroup passed test CrossRefValidation

   Running enterprise tests on : Almojilgroup.com
      Starting test: LocatorCheck
         Error: The server returned by DsGetDcName() did not match
         DsListRoles() for the PDC
         ......................... Almojilgroup.com passed test LocatorCheck
      Starting test: Intersite
         ......................... Almojilgroup.com passed test Intersit

Server 2003 Some servers are behind an hour. Event ID 22 & 25

November 1, 2012, 10:42 am
$
0
0

About half of our DC's are one hour behind.  All are running Server 2003, including the NTP server (DC1).  All servers are in the same AD group with the same policies.  It happened about 2 weeks ago, at the same time according to the System Event Logs.  Please see logs below:The time provider

Event ID: 25

NtpClient cannot determine whether the response received from dc1.domain.com has  a valid signature. The response will be ignored. The error was: The interface is unknown. (0x800706B5)

Event ID: 22

The time provider NtpServer encountered an error while digitally signing the  NTP response for peer xxx.xxx.xxx.157:123.  NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: The interface is unknown. (0x800706B5)

It doesn't make sense that half of the servers are correct and half are an hour behind, when they all have the same NTP server.  One server gives an Information Event Log that says it is recieving the correct time from DC1, but it is still an hour behind.

Any suggestions?

Thanks, Josh.

Where is document for uninstalling Windows2008 DC ?

November 7, 2012, 9:39 am
$
0
0

I need to uninstall Win2008DC( not last DC in the domain).

I would like to make sure the procedure just in case.

Search

SID is diplayed in security tab of some folder.

November 4, 2012, 8:33 pm
$
0
0

SID like S-1-5-21-19604・・・  is displayed in security tab of folder.

It means this SID's object is deleted from AD but folder has that ACE entry ?

Serious issue with availability - Resource leak possible?

July 12, 2012, 7:41 am
$
0
0
Dear experts,

we've been having serious issues with our domain controllers running Server 2008R2 SP1 (with current updates, depending on when they were last rebooted).
I'll delve right in:
Our domain controllers stop responding to requests after about 60-80 days of uptime.
They then start to log all kinds of errors, but most of them relate only to subsequent failures (such as unable to communicate with DNS or another DC, that replication failed, etc).
The only (possibly) relevant issue I could find was an event log entry saying "The name limit on the local adapter has been exceeded"
For example, I can still RDP in, but am unable to map a network drive or anything like that.
A reboot fixes the problem immediately.

I have done extensive research on the issue and came up empty except for this article:
http://support.microsoft.com/kb/961775

I suspect this as a related or even root cause since it describes to 95% what we are experiencing:

YES - User authentication fails.
YES - Sysvol replication fails.
SOMETIMES - Events 404 and 408 appear in the DNS server log.
YES - One of the following Netlogon events occurs:
SOMETIMES - Netlogon event 5775
SOMETIMES - Netlogon event 5792
SOMETIMES - Netlogon event 5792
SOMETIMES - Netlogon event 5719
YES - This problem most commonly occurs on domain controllers that are running the Microsoft System Center Operations Manager agent.
 The agent makes repeated local queries to LSASS on port 389. The queries cause the number of orphaned connections to increase rapidly. Because of this, the domain controller fails after a few days.
YES - TDI interface used (Sophos Antivirus)


 
The only difference is that the article says this applies to multiprocessor machines. Some of our DCs are multicore, some are single core. All are experiencing the issue.

All DC's run as VM's on top of Hyper-V 2008 R2 SP1
All DC's run 2008 R2 SP1 themselves
All DC's have the SCOM Agent installed
All DC's have Sophos AV installed



Is there any expert out there who can confirm/deny that this might be issue and whether there is a fix for 2008 R2 for this?
Could it be something else else?
We are desperate since if AD goes, so does a lot of our network!
 

Share permission got only SID and not user friendly name

October 28, 2012, 5:38 pm
$
0
0

Hi All,

  We have migrate the servers over to new domain using ADMT. Now i found that some of the shares got SID ID and not the name? 

 Also few users getting access denied.. 

 How do i translate these SID to name and find which one to keep or remove? 

Also this server ILO is set to old domain and some old IP's is this cause to this? Not sure that got the old DNS address?

AS

   

Exchange 2010 ports requirement to Root DC

October 29, 2012, 2:28 am
$
0
0

Hi,

I am installing Exchange 2010 in child domain.  Error is account has to be member of Organization Management.  I have confirmed that it is already member of Organization Management.

Do I need to open firewall ports to communicate to Root DC as follow?

135 TCP

53 TCP/UDP

88 TCP/UDP

3268 TCP

389 TCP/UDP

Please advise.  Thanks.

Kelvin Teang

Where is document for installing Win2008DC to win2003AD first time ?

November 7, 2012, 9:42 am
$
0
0

There is Win2003 AD it does not include Win2008DC.

I would like to add Win2008DC but I think it need to extend schema.

Where is the document for that ?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>