We have various applications that do a bind to our DCs using a certain LDAP account we create for them.  Lets call the account LDAP01.  This account has read privs in the domain and is only used to bind to AD, so that it can then pass through credentials of the real user that is using the application.  Lets call the user User01.  this is done so that the application can use AD as the central repository for authentication and authorization.  It also makes it so that the application owners do not have to administer local application-specific accounts for all the application users.

What happens sometimes is that one of these users using an application that uses LDAP binds becomes locked.  It almost always means that the user has his password typed in somewhere in the application incorrectly (say on a scheduled task or job that the application runs under the users account).   The problem is the user will haev his account locked and can't figure out where the password was typed in incorrectly. 

I can go through the security log and find this error (event id 4776), where DC03 is the DC that they are binded to with the LDAP01 account:

The domain controller attempted to validate the credentials for an account.

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    User01
Source Workstation:    DC03
Error Code:    0xc000006a

So that is great and all, and I'm seeing when the bad passwords were attempted, but since the "Source Workstation" is the DC that the LDAP01 account binds to, I have no way of telling what the REAL source IP was.  This is because the LDAP bind could have come from anywhere, and the error only shows the DC that the account bound to.

Does anybody have a way of telling where the LDAP bind was coming from?  (other than network captures, which I don't much feel like doing)

Hi All,

I have a scenario where, Our company have one forest eg. ABC.COM & one tree ABCINDIA.com,

Now we want transfer all Forest FSMO roles from ABC.COM DC to ABCINDIA.com DC & remove ABC.COM from forest.

Is it possible that transfer all FSMO forest roles to sub tree domain & remove old forest root tree.

Hello,

A little history:

We have an active GPO on the domain setting a specific home page (User config/Windows settings/Internet Explorer Maint/URLs/Important URLs) . The need arises to set up a different home page for specific users in dedicated OU, I set up the GPO in the same manner as the domain GPO which didn't make a change, domain GPO kept on overriding the OU GPO, I made changes to the OU GPO set up and went in the direction (User Config/Admin Templates/Windows Components/IE/Disable changing home page settings    "enabled this setting with listing the home page"), worked perfectly.

Does the set up have to differ in this type of a case, if so why? Ideally we would like to have the GPO's set up in the same manner, is that possible?

Thank you!

Hi

I my environment, we have found that authenticated users group is member of "Pre-Windows 2000 Compatibility Access" 

I want to know why or its default member of this group. And if I remove authenticated users group then it may impact any services account, application? 

Hi

What is the best possible way to deploye RODC on remote office?

Scenario

1. Remote office have 2Mbps lease line

2. HEad office have 2Mbps leass line.

3. Head office have one DC with windows server 2008 R2.

4. Remote office have 10-12 computers and local printer and tally sofwtare to be run.

5. RODC also work as file server.

Requirements

1. Remote office users logon through RODC no link with DC whenever WAN up or down.

2. Printer must share with RODC no effect on WAN UP OR DOWN.

3. Files & folders access on RODC no effect on wan link up or down.

4. Same as tally.

5. Replication down from RODC to DC.

How to deploy step by step ?

any one can comment , we will highly appreciate.

Arvind

Hi,

I have my user account in child domain. I need to add computers to the root domain. I think asking infrastructure team to delegate permissions on some OU for this won't be a problem. I need to know where added computer accounts will be stored. Will they be located on that OU where I have permissions to add them after joining to domain? 

thanks

I have found some CNF objects in my OID list;  3 have matching original objects whilst 2 do not.

Whilst I am happy purging CNF copies of simple security principals, OIDs are uncharted waters for me.... Can I still delete all five ?

Should I have different approaches for the 3 that match and for the 2 that do not have original objects any more ?

uSNChanged is sometimes greater on the original, sometimes on the CNF copy - not sure if that is relevant.

Thanks in advance

Nick

Ignite a fire and a man is warm for a night: ignite a man, and he is warm for the rest of his life.

Hi

I am getting “logon failure: the target account name is incorrect” error when trying to add a computer to the domain

Office network runs on windows 2003 server and we have to DC both 2003. Client computers are xp and windows 7. This particular computer dropped out from the network and I removed it from the domain and trying to add this back on to the domain.

I have noticed few computers also getting random errors that they can’t access network share by name (\\servernaem\share) but they can access share by its ip (\\192.168.19.2\share) but when I restart then computer they are working fine.

I have a feeling that this is got to do with Kerbros security. I have seen few event log errors on the server they are

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date:  26/04/2013
Time:  10:17:01 AM
User:  N/A
Computer: PERTHSRV2
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server perthadmin5$.  The target name used was cifs/PERTHADMIN5.entpubperth.entertainmentbook.com.au. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (ENTPUBPERTH.ENTERTAINMENTBOOK.COM.AU), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

---------------------------------

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date:  26/04/2013
Time:  8:24:47 AM
User:  N/A
Computer: PERTHSRV2
Description:
The session setup from the computer NBDMLAP failed to authenticate. The name(s) of the account(s) referenced in the security database is NBDMLAP$.  The following error occurred:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0               "..À   

hope you can help me with this.

Thank You

Kris

hello All

We have 2008 DC's with 2003 DFL. We have a share hosted on member server.

Now there is an application that runs on workgroup machine. This application access the share on member server.

User (Domain user) double clicks the application which modifies the share.

How can we allow access to that application on share hosted on domain machine?? Any GPO/Local gpo etc.

Appreciate any help in advance!!

We are having some network issues where our logon script does not always run when users log on to the network.  I am running Windows Server 2012 Standard, and I have the logon script located at \\server\netlogon\logon.vbs.  The server is a Domain Controller.  The script usually runs, but it does fail to run a fair amount of the time.  When the user logs in to their workstation (Which is Windows 7 Pro x64) they can browse to the location of the logon script and run it.  Then all drives & printers get mapped correctly.

I've never had this issue in the past when we were running domain controllers on Windows Server 2003 R2 x64.  The issue seems to be happening now that we are running Server 2012.

Can anyone tell me why this may be happening?

Nate

Hi All.

I am having trouble with replication in my forest and I am struggling to get this resolved. The forest is made up of 1 parent with 4 child domains, site.domain.local. We recently changed data centres and ISP and all went well until one of our sites started to have RF interference on their ADSL line causing the connection in the MPLS network for this site to be very unreliable. Since then users at any site are unable to connect to resources at other sites, the ADSL line may be a red hearing with this issue as people not at this site are affected too. Here is what I have done so far.

Looking at the DC of the Parent domains event logs I see Error 4010 for the following servers;

cd9e1ed9-57d5-4f93-93a1-d8b020a1b6c7._msdcs.s****group.local – 192.168.10.1

99e38c17-ef19-4843-823c-a3cb7bf5422e._msdcs.s****group.local – 192.168.10.2

4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local – 192.168.11.1

32f8d64e-91f7-48a1-a40e-bbf3a310d503._msdcs.s****group.local – 192.168.200.10

0fca4013-54f7-484b-8f7e-7f0116824d4e._msdcs.s****group.local – 192.168.200.5

I have checked these GUIDs in DNS and they are there under._msdcs.s****group.local and are correct in Sites and Services. I wanted to check in ADSIedit but not 100% sure where to look but when I navigated to DC=S********p,DC=Local,CN=System,CN=FileReplication Service,CN=Domain System Volume(SYSVOL share) there was an old server that has long been retired using DCpromo and even checked while doing a metadata clearup using ntdsutil. I did see to entries in ADSIEdit under DC=S********p,DC=Local,CN=Domain Controllers and looking at the properties of the 2 servers found here, the objectGUID seemed incorrect, am I looking at the correct location and detail?

The next thing I did was to renam Netlogon.dnb and Netlogon.dns to .OLD then ran;

Net stop DNS

Net stop Netlogon

Ipconfig /flushdns

Net Start Netlogon

Net start DNS

Ipconfig /registerdns

Repadmin /syncall /AeDq

Result is as follows;

Syncing all NC's held on KRONOS.

Syncing partition: DC=ForestDnsZones,DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Syncing partition: DC=DomainDnsZones,DC=s****group,DC=local

SyncAll terminated with no errors.

Syncing partition: CN=Schema,CN=Configuration,DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Syncing partition: CN=Configuration,DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Syncing partition: DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Syncing partition: DC=TechGate,DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Syncing partition: DC=Southampton1,DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Syncing partition: DC=tonbridge,DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Syncing partition: DC=braintree,DC=s****group,DC=local

SyncAll reported the following errors:

Error contacting server 4872ca68-0d26-4687-95ce-62da8a19ad8d._msdcs.s****group.local (network error): -2146892976 (0x80090350):

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

I have checked and there is no firewall between any sites and the firewall on the 2008 R2 servers is disabled through GP (other servers are 2003 with no firewall). Whats my next best step?

Hello Champs,

Caught in a slow situation.

Just Migrated from 2003 to 2008 domain but my ADDS service opens slow.

The attributes of object are also slow to appear even on the DC itself while on 2003 member server , the DSA.msc works faster.

any hotfixe? or patch required??.

Please help.

Hi ,

      I have three RWDC , two of them are located in HQ and one is in our DR site.These three servers as PSLGIDC-01(10.4.10.10), PSLGIDC-02( 10.4.10.11) & DRLGIDC-03 ( 10.4.110.10). After that i created one RODC in our branch office with named BRSLGIERODC2500( 192.168.82.251 ).All of the RWDC are windows server 2008 r2 also all are on virtual environment.  RODC server is windows server 2012 standard I had created site and subnet for RODC as normal RODC installation .Also configure RODC as standard procedure with DNS and GC & site replication is working properly.Also primary DNS of the RODC server is 192.168.82.251.The issue is that my RODC DNS server is getting error "4015" after every 9 hours .In DNS event  getting  error message like " The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.". All replication are shows successful from  RODC to RWDC and reversal.Please advice..

I created a stand alone AD LDS instance using the setup wizard.  Then I used ADSI Edit to create a Users container.  Next I created a user, set the password and set MsDS_UserAccount Disabled to False. Then I tried to expand Roles, Expand the Readers, edit the member property and Add DN: o=Microsoft,c=us,CN=Users,CN=Joe and I get the following error:

Operation failed. Error code: 0x20b5 The name reference is invalid.  Problem 1005....
How do I fix this?  Also can't a user just be defined in AD LDS or is it just a reference to a real windows account?

Thanks

Hi All,

This is not anymore a new question here but it seems others do have different issues on arriving to this problem.

I installed AD before and everything worked out fine until i decided to demote the DC and remove and reinstall AD and DNS. After reinstalling again the AD and DNS, and promoting a new DC and accessing Users and Computers, i got this error:

Naming information cannot be located because: The Specified Domain either does not exist or could not be contacted.

Server OS: Windows Server 2012

DC: only one DC created.

What could possibly caused this?

Hope to solve this! Help pls. Thank you so much in advance.

-IJ-

I need to rename massively security groups on OU.

Is there any way to do it faster? Tools or something?

The security groups are all most 5000 entries.

DPM 2010 with latest roll-up (KB2615782) | DELL Server R710 (Windows 2008 R2 SP1) RAM: 24GB PF: 36-60GB | DELL TL4000 (4 Drives) | DELL TL2000 (2 Drives) | D2T Backup No Disk Pool (Electric & Disk Costly) | And still struggling and monitoring... Battle continues... life never happy ever after.. :(

Hi,

I have a hyper-V machine which has been set up the following way -

Hyper-V Host Machine
Machine Name - Computer1
IP - 192.168.1.2
Subnet Mask - 255.255.255.0
Default Gateway - none because this machine has no need to connect to the internet
Preferred DNS Server - 192.168.1.3
Roles Installed - Hyper-V

Hyper-V Guest Machine 1
Machine Name - Computer2
IP - 192.168.1.3
Subnet Mask - 255.255.255.0
Default Gateway - none because this machine has no need to connect to the internet
Preferred DNS Server - 127.0.0.1
Roles Installed - AD DS (and the dcpromo tool installed the DNS Server role alongside, and configured it)
Domain Name - mydomainname.com

Hyper-V Guest Machine 2
Machine Name - Computer3
IP - 192.168.1.4
Subnet Mask - 255.255.255.0
Default Gateway - (none for now, because there is no router or internet connection yet, but will be set to 192.168.1.1 after we buy the router and the connection)
Preferred DNS Server - 192.168.1.3
Roles Installed - (yet to install and configure the VPN role)

Hyper-V Guest Machine 3
Machine Name - Computer4
IP - 192.168.1.5
Subnet Mask - 255.255.255.0
Default Gateway - (none for now, because there is no router or internet connection yet, but will be set to 192.168.1.1 after we buy the router and the connection)
Preferred DNS Server - 192.168.1.3
Roles Installed - (yet to install and configure IIS)

All machines are running Windows Server 2008 R2.

After reading up on this problem online, I temporarily disabled the Windows Firewall on all machines.
The following protocols have been enabled on all network adapters - IP V4, File and Printer Sharing, Client for Microsoft Networks
All machines are able to ping one another - both by IPs, and by Machine Names.
However, Computer2 is unable to ping Computer4 by name. It can ping it by IP though.
All other machines can ping Computer2 both by machine name, and by the FQDN, along with being able to ping it by IP.


I have configured the domain controller on the AD DS role, but still whenever I try to add any machine to the domain, I get the error message in the thread title.
I've been through several threads on the same issue found on google, enabled/disabled a few things based on findings and recommendations, and then posted back my machine's current stats. And yet I still get the same error message, and am unable to join any machine to the domain. If I try joining a machine to the domain through a client computer - I get the above error message. If I try adding a computer through the Server Manager in the DC, it just adds a blank entry with the supplied computer name.

What gives?

P.S. (I know the first response will be to ask me to post the results of ipconfig /all, but my question is - does it give out any sensitive information? Because I have hidden my actual computer names and domain name for security reasons. This network is to soon become our live production network for our business.)

Steven J Einhorn