Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DFS Shares randomly not accessible

October 24, 2019, 2:15 am
$
0
0

Hello,

we have a DFS Namespace with some shared folders defined. We have 4 Domain Controllers configured as Namespace Servers, all 4 are located in same site and are in one LAN. Randomly users can not access these shares, it might work after a short while again. I feel like two of our 4 Namespace Serves have issues. Because if I do a "net share mx" on these two servers I suspect, I get an Access deied. While the same command works on th eother two Namespace servers.

Both servers with issues are our newest DCs, which are running Windows Server 2019, while the two ones which work, are 2008r2 and 2012r2. I have recently (well, about 2 month ago) moved all FSMO roles from the 2008r2 to one of the 2019.

But I I look to the sharing permissoins, all have the same settings. In DFS Mangement Everyone has Read, while sharing + ntfs permissions do not have permissions for everyone, but none fo the servers has.

net share mx
Share name        mx
Path              C:\DFSRoots\mx
Remark
Maximum users     No limit
System error 5 has occurred.

Access is denied.

The same command works on the old Namespace Servers:

net share mx
Share name        mx
Path              C:\DFSRoots\mx
Remark
Maximum users     No limit
Users             koster
Caching           Manual caching of documents
Permission        Everyone, READ

The command completed successfully.


I also get some Access Denied errors when I run "DFSDiag /TestDFSConfig /DFSRoot:\\mobilex.intra\mx" on these two servers in charge

on dc1-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC1-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

on dc2-2019:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Error: Access is denied.
Ignoring the following server for comparison: DC2-2019.mobileX.intra
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

The same command on my older Namespace Servers do not return any error:

Validating registry entries...
Comparing DC1 - DC1-2012R2.
Comparing DC1-2012R2 - DC2-2019.mobileX.intra.
Comparing DC2-2019.mobileX.intra - DC1-2019.mobileX.intra.
Success: The registry values under HKLM\CCS\Services\Dfs\Parameters are consistent on all compared servers.
Finished TestDfsConfig.

I am not very familier with this topic, hope someone can explain and point me to some right direction.

kr

Dieter


Search

AD domain and trusts

October 24, 2019, 3:04 am
$
0
0
  • Hi all,
  • In a multidomain environment, where there is one way or two-way trusts configured. How do i find out the below?
  1.      Is there a user in <g class="gr_ gr_17 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Grammar only-ins replaceWithoutSep" data-gr-id="17" id="17">first</g> domain talking to another domain? and who is it? For example domain of first user login to another domain.
  2.      Is there an app in <g class="gr_ gr_15 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Grammar only-ins replaceWithoutSep" data-gr-id="15" id="15">first</g> domain talking to another domain? and what app?

Is there any tool regarding these?

Thanks

LAPS on multiple DC's

October 24, 2019, 3:59 am
$
0
0
For global infrastructure and access provisioning, can you install the LAPS UI on multiple DC's? or does it need to be on one "Master DC"?

ADFS Chaining OIDC-SAML-OIDC

October 24, 2019, 6:04 am
$
0
0

Hi,

We are working towards to setup trust between two IDPs one ADFS and other cloudbased IDP whereas relying party integrated is talking over OIDC.

It worked for an application over SAML where SAML SP integrated with one ADFS, 1st ADFS identify that it is a request for a delegated authentication it forward that to 2nd IDP and after authentication get SAML Response back and transform that response to new response and send back to SP.

But while doing the similar flow for the application which talks over OIDC, Authentication Request flows works fine and we get the IDP login page, we get 1st SAMLResponse as well but when ADFS tries to translate that SAMLResponse to ID_Token to send that to relying party, getting an error as : " http://<domain>/?error=server_error&error_description=MSIS9642%3a+The+request+cannot+be+completed+because+an+id+token+is+required+but+the+server+was+unable+to+construct+an+id+token+for+the+current+user.&state=asjhjadue&client-request-id=<ID>

Server is not able to construct the ID_Token. We are using Win2k16 R2 (ADFS 4.0)

Any inputs will be helpful.

FRS migration

October 9, 2019, 6:52 am
$
0
0

Hello All,

when i run Dcdiag /e /test:sysvolcheck /test:advertising from pdc 

sysvol and advertising are failing, however when i logged into that servers and run dcdiag its getting passed in all parameter (sysvol & advertisement) and there is no failed test.

checked logs , nothing which i can conclude.

Please advise, can i proceed with FRS migration.

if not what i can do to fix this

Thanks

Aamir Masthan


NA


Server to Server Directory Migration

October 22, 2019, 12:09 pm
$
0
0

Hello,

We've recently purchased 2 new servers with WS 2019 Standard. We need to migrate the data, and directories from our current servers (WS 2008) to these new ones. Our current servers are only used for Active Directory & DNS. 

Does Microsoft offer a migration service like this or are there other options?

Thanks for any help.

AD Health Check

October 22, 2019, 11:22 pm
$
0
0

Hello,

I'm getting the script about AD health check from this site gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd#content and the output not so good. Previously we just run Repadmin command especially repadmin /replsummary in order to check our AD health check. But from this script, the result was not so good and im not really understand about Test Failed since we dont encounter any replication error.

PingSTatusNetlogonServiceNTDSServiceDNSServiceStatusNetlogonsTestReplicationTestServicesTestAdvertisingTestFSMOCheckTest
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsTimeoutReplicationsTimeoutServicesTimeoutAdvertisingTimeoutFSMOCheckTimeout
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesFailAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsFailReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesFailAdvertisingPassedFSMOCheckPassed


The serviceTimeout error i found out because the script wait-job status for 60 sec and after manually run  dcdiag /s:DC03 /a /test:Netlogon the result was good. It just need more than 60sec.

Anyway the real issue now is about test fail NetlogonsFail, ServicesFail (Bold). I'm wonder whether we just can ignore this error or this error can caused replication issue? I'm already checking the replication was good from repadmin /replsummary and also from dcdiag not mention about replication error. The attribute also replicate well between the DC.

Meanwhile when we run dcdiag /s:DC03 /a /test:Netlogon on server encounter NetlogonFail, the error is valid. Below is the error:

Unable to connect to the NETLOGON share! (\\DC07\netlogon)
[DC07] An net use or LsaPolicy operation failed with error
67, The network name cannot be found..
......................... DC07 failed test NetLogons

Now im start to worry whether our DC in good condition or not. Previously we just rely on repadmin replsummary and repadmin command to checking the replication. Kindly advise.

P/s: Sorry, im unable to insert picture due to Body text cannot contain images or links until we are able to verify your account.



how to find servers/computers baed on sites

October 22, 2019, 2:18 am
$
0
0

Hi all

I need to find all the computers based on sites. Is there any way to do that using sites and services for example..?

Thanks

Search

Event ID 1119 for Global Catalog Win2K16

October 21, 2019, 10:48 am
$
0
0

Hello Folks,

Is event ID 1119 which says a domain controller is now a Global Catalog after promoting the server to domain controller in 2K8R2, is this event replaced by any other event in Windows 2016,I couldn't see it under directory service after promoting the server to DC in 2K16 whereas i could see the server is Global Catalog Ready and there is event 1394.

Regards,

Aatif

Regards, Aatif Kungle

new Active Directory installation error

October 20, 2019, 3:21 am
$
0
0

hi all ,

currently we are trying to bring new active directory , the situation is this  

we three active servers ( two windows 2012 and one windows 2008 ) the primary server that have all the roles is the 2012 server now . we have issue with this primary one the sysvol file got a virus and re recover the from the backup . 

now when  trying to add new AD to our environment we are facing the below error : 

Verification of prerequisites for Active Directory preparation failed. Unable to connect to the replication source domain controller ad03.domain.com..
Exception: A directory service error has occurred

Verification of prerequisites for Domain Controller promotion failed. Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (The user name or password is incorrect.).


any suggestion  ? 


Cannot login to windows 2016 domain controller - the user has not been granted the requested logon type at this computer.

October 24, 2019, 7:17 pm
$
0
0

Hello,

Been grappling with a problem for some time now:

We have a parent domain and a child domain with domain admin accounts in both domains.

Both domains contain two domain controllers each.

We recently performed an activity and upgraded all our domain controllers to Server 2016. The process we followed to "upgrade" the domain controllers was - joined the Server 2016 machines to the domains, then promoted these 2016 machines as domain controllers.

The older(Server 2012 R2) machines were demoted gracefully.

However, after this activity, we cannot login to the child domain's domain controllers using the domain admin accounts in the child domain. The only to login to these domain controllers is through the domain admin accounts in the parent domain.

We get the following error in the login screen:

You must be granted the Allow log on through the Remote Desktop Services Right.

We have verified that the account used to attempt a login to the domain controller is a member of the domain admins group and has the "Allow logon locally", "Access this computer from the network", "Allow logon through remote desktop services" privileges.

Any help or leads to help with this problem is greatly appreciated.

Cheers!

AD domain and trusts

October 24, 2019, 9:38 pm
$
0
0

Hi all,

In a multidomain environment, where there is one way or two-way trusts configured. How do find out below?

  1.      Is there a user in a domain talking to another domain? and who is it? For example domain of first user login to another domain.
  2.      Is there an app in a domain talking to another domain? and what app?

Is there any tool regarding these?

Thanks


Cross Domain slow logon issues

October 24, 2019, 11:46 pm
$
0
0

Hello

Issue:

One of our partners have started upgrading their client fleet to Windows 10, and since they have done this when our users attempt to logon to our domain via their devices it can take over 40 minutes to logon.  The Windows 7 devices take the usual 5 minutes or so.  This is happening on all of their sites.  Whilst I believe the issue is something client related, I am wondering if there is anything we need to change in our AD world...

Setup:

Partner Remote Site - Private Network - Partner DC - City Wide Network - Our Network - Our DC

DCs have full access to each other

My understanding is that their DC will check the token with our DC and then pass it back, which in theory should be quite quick.

Any articles or advice that can be given would be appreciated

nslookup times out twice then resolves

May 5, 2015, 7:29 pm
$
0
0

Hi All,

I am experiencing a strange issue, I see this issue has already been discussed but I cannot find a fix for my case

Name resolution seems working fine however every time we use nslookup the result is timeout after 2 seconds twice then the result.

This is happening also if I try to nslookup my own domain

IPv6 disabled on the client and no firewall between the client and the DNS server (that is also a Domain controller)

What really makes difference is if the computer is in the domain or not:

- If I use nslookup from a computer not in the domain it works fine with no timeouts

- If I run nslookup from a client joined to the domain this times out twice before giving the correct result

I enabled the debug option to troubleshoot and I noticed a strange behaviour: when resolving nslookup appends the domain name also to fully qualified names, and this result times out because there is no such dns record

Example:

nslookup ad.mydomain always tries to lookup also to ad.mydomain.ad.mydomain

the domain is appended to FQDN and not FQDN, I don't think this is normal

Any idea?

Thanks

Luca

Windows 10 Lock Screen Slide Show (Mulitiple .JPEG images) Using group policy

October 17, 2019, 3:01 am
$
0
0

I want the slideshow feature of the lockscreen to do this on all domain computers via GP instead of the screensaver .

I have around 2000 Windows 10 Enterprise clients.

DC : 2012 R2

Kind Regards,

RPadmam.

RJ

Search

pwdLastSet attribute blank on AD user objects

October 18, 2019, 9:39 am
$
0
0

Hello all,

I have a situation where, I have user objects in Active Directory that do not have passwords set, Attribute = pwdLastSet. The user object is not disabled either.

What factors would allow an object to have this criteria, pwdLastSet = blank and the user object not disabled? My understanding is if a user object has no password it should be disabled, especially if password complexity is set, which it is in my environment.

thank you in advance for your assistance on this question.

Matt Burgos

Active Directory Certificate Templates published more than listed on Enterprise Intermediate CA

October 23, 2019, 7:19 am
$
0
0

Hi,

While looking at CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Example>,DC=<Example>,DC=Local (Example is just a place holder.) I found 45 Certificate templates published in AD but while looking at the Enterprise Intermediate CA I see only 26 that has been deployed by CA.  Why there is difference, is there any way I can find out who issued additional certificates in AD CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Example>,DC=<Example>,DC=Local.  Your feedback is appreciated.

Kind Regards,

AK  

Authoritative Restore

October 23, 2019, 5:16 am
$
0
0
Dear Team,

I m trying to perform authoritative restore for one OU . but its not Woking
after replication restore object getting deleted.
Please find below step

1. Booting system in DSRM.
2. login with DSRM credential
3. Disabling AD services
4.Restoring system state using wbladmin
5. Performing authoritative restore command
    restore subtree "ou=***,DC=***,DC=***"
After restore rebooting AD in normal mode.

..But post replication restored OU gets deleted

R!t@$#

SMBv1 Disabling Considerations

October 22, 2019, 12:25 pm
$
0
0
Hello. I am looking at disabling SMBv1 across all servers and workstations in our Windows environment. Besides Windows XP and Windows Server 2003 being negatively affected by this, what are some other "gotchas" or things that people on here have seen go wrong by disabling SMBv1?

AD restructure

October 21, 2019, 7:10 am
$
0
0

Hi.

I need restructure Active Directory from one domain to two unrelated domains in different forests.

Now i have 2 domain controller on Windows Server 2012.

I want to use new domain in functional level forest Windows 2012R2 or high. Maybe forest level Windows 2019.

How i can migrate all object from current domain to new domain using ADMT, given my need??

Which operating system should I use for the domain controller of the new domain with functional forest level Windows 2019?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>