We have various applications that do a bind to our DCs using a certain LDAP account we create for them.  Lets call the account LDAP01.  This account has read privs in the domain and is only used to bind to AD, so that it can then pass through credentials of the real user that is using the application.  Lets call the user User01.  this is done so that the application can use AD as the central repository for authentication and authorization.  It also makes it so that the application owners do not have to administer local application-specific accounts for all the application users.

What happens sometimes is that one of these users using an application that uses LDAP binds becomes locked.  It almost always means that the user has his password typed in somewhere in the application incorrectly (say on a scheduled task or job that the application runs under the users account).   The problem is the user will haev his account locked and can't figure out where the password was typed in incorrectly. 

I can go through the security log and find this error (event id 4776), where DC03 is the DC that they are binded to with the LDAP01 account:

The domain controller attempted to validate the credentials for an account.

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    User01
Source Workstation:    DC03
Error Code:    0xc000006a

So that is great and all, and I'm seeing when the bad passwords were attempted, but since the "Source Workstation" is the DC that the LDAP01 account binds to, I have no way of telling what the REAL source IP was.  This is because the LDAP bind could have come from anywhere, and the error only shows the DC that the account bound to.

Does anybody have a way of telling where the LDAP bind was coming from?  (other than network captures, which I don't much feel like doing)

Hi Guys, 

I want to restore 2 DCs in production which is backuped up with sysstate and C volume to my new test environment. 

It's a one simple domain environment.

After restore both DC and rebuild the SYSVOL. AD is working but I got USN rollback issue.

I know complete PC restore of AD is a non-authoritative restore process.

How can i do an authoritative restore by Complete PC restore? Will this resolve the USN rollback issue?

Can I go to DSRM and mark one DC as authoritative after Complete PC restore?

Any suggestions, thanks!!

Weicong888

I want to decomission the current Forest Root Domain and move the forest root domain to another domain tree.  Can I do it?

Currently

Single Forest with 2 Domain Trees for a total of 4 domains.

Domain A  (Domain Tree 1) Also the Forest Root Domain

Domain B (Domain Tree 2)

Domain C (Child Domain to Domain B)

Domain D (Child Domain to Domain B)

I would like to decomission Domain A and move forest root domain to Domain B.

Can I do it?

Thank you in advance

I created a stand alone AD LDS instance using the setup wizard.  Then I used ADSI Edit to create a Users container.  Next I created a user, set the password and set MsDS_UserAccount Disabled to False. Then I tried to expand Roles, Expand the Readers, edit the member property and Add DN: o=Microsoft,c=us,CN=Users,CN=Joe and I get the following error:

Operation failed. Error code: 0x20b5 The name reference is invalid.  Problem 1005....
How do I fix this?  Also can't a user just be defined in AD LDS or is it just a reference to a real windows account?

Thanks

Error While making windows server 2003 as ADC in2008 Domain.

The operation failed because:

The functional level of the domain or forest is incompatible with this operating system.

"The version of the operating system installed is incompatible with the current domain
functional level. You must upgrade to a new version of the operating system before this
server can become a domain controller in this domain."

Arvind

Arvind

I have a stand alone instance of LDS running on a machine that is not part of a domain.  I am running ldp.exe on the same machine.  When I use ldp.exe to do a simple bind with credentials (using my DN), I get the following error:

I have a single domain with five domain controllers.  All are running Server 2008 R2 Enterprise.  Our forest and domain functional levels are at Server 2008 R2.  The FSMO role holder is running on VMware ESXi v5.1.

I use Windows Server Backup to take a daily full server backup to a volume on the server.  I also use StorageCraft ShadowProtect to take an image based backup of all volumes, with the exception of the volume containing the Windows Server Backup.

I am working on testing the restore in an isolated network.  After restoring the server, setting the static ip address, subnet mask, gateway, and dns servers, Network Location Awareness identifies the network as a 'Public Network' instead of the expected 'Domain Network'.  This breaks AD, DNS, etc.  Occasionally, it will switch over to 'Domain Network' and things appear to work properly.  If the server is rebooted, it always goes back to 'Public Network'.  At this point, it is the only server in the isolated network.  The other DCs have not been restore and are in different AD sites.  I see the same behavior when restoring with Windows Server Backup and ShadowProtect.

Any suggestions as to why this is happening?  I am hoping to not only test our disaster recovery plan, but to also test upgrading the domain to 2012 level.

Thanks!

Hi

What is the best possible way to deploye RODC on remote office?

Scenario

1. Remote office have 2Mbps lease line

2. HEad office have 2Mbps leass line.

3. Head office have one DC with windows server 2008 R2.

4. Remote office have 10-12 computers and local printer and tally sofwtare to be run.

5. RODC also work as file server.

Requirements

1. Remote office users logon through RODC no link with DC whenever WAN up or down.

2. Printer must share with RODC no effect on WAN UP OR DOWN.

3. Files & folders access on RODC no effect on wan link up or down.

4. Same as tally.

5. Replication down from RODC to DC.

How to deploy step by step ?

any one can comment , we will highly appreciate.

Arvind

Hi All,

how to track schema changes in active directory.

Regds

JD

J D Tech Guy........

I am trying to Import users with LDIFDE but I'm getting an error on the second user. The error is

Add error on entry starting on line 20: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090C30, comment: Error in attribute conversion operation, data 0, v1db0

I must be missing something since the first entry (which gets added) and the second (which fails) look to be about the same to me. I've been trying to figure out the difference between the two entries for about an hour now but with no luck, it all seems to be the same.

dn: CN=User One,OU=Test,OU=Company,DC=domain,DC=local
changetype: add
cn: User One
objectClass: user
sAMAccountName: user.one
telephoneNumber: (407) 599-6888
userPrincipalName: user.one@company.com
givenName: user
sn: one
title: Title
l: City
st: OH
streetAddress: 610 A Road
facsimileTelephoneNumber: (457) 874-5574
mobile: (888) 874-4891
extensionAttribute1: 210591
extensionAttribute2: 833871
mail: user.one@company.com

dn: CN=User Two,OU=Test,OU=company,DC=domain,DC=local
changetype: add
cn: User Two
objectClass: user
sAMAccountName: User.Two
telephoneNumber: (407) 599-6888
userPrincipalName: User.Two@company.com
givenName: User
sn: Two
title: Title
l: City
st: OH
streetAddress: 610 A Road
facsimileTelephoneNumber: (484) 489-6889
mobile: (888) 721-5464
extensionAttribute1: 286994
extensionAttribute2: 833871
mail: User.Two@company.com

Hi Team,

AD : Windows server 2008 R2

Users Count : 4000+ Users

In my domain, no account lockout policy in place - its set for 0 invalid attempts. For auditing and security reasons, need to apply account lockout policy in my domain.

So, to observer, i have implemented the lockout policy in the domain. But then, there are lot of users started complaining about the account lockout issue and my Help desk is filled with lockout tickets.

I think the majority of the issue is causing due to the saved passwords in the PCs. Then after this incident, i roll backed my changes. 

Please advice, how i can tweak this and apply lockout  policy in my domain.

Regards, Dev

After demoting a Server 2008 R2 domain controller, renaming it, and then creating and promoting a new Server 2012 Domain Controller with the same name (DC6) I am seeing this error intermittently on the new DC.

Log Name:      DNS Server

Source:       Microsoft-Windows-DNS-Server-Service

Date:         4/16/2013 6:58:37 PM

Event ID:      4015

Task Category: None

Level:        Error

Keywords:      Classic

User:         N/A

Computer:      DC6.MyDomain.local

Description:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

There does not appear to be any actual problem otherwise however. DNS can be restarted on the new DC without issue or error message. Replication seems to be working everywhere.  Repadmin /replsummary results are:

Beginning data collection for replication summary, this may take awhile:

  ...........

Source DSA         largest delta    fails/total %%  error

 DC1                      10m:07s    0 /  20   0

 DC2                      11m:49s    0 /  20   0

 DC3                      10m:08s    0 /  20   0

 DC4                      11m:50s    0 /  20   0

 DC5                      11m:50s    0 /  20   0

 DC6                      10m:08s    0 /   5   0

 DC7                      10m:09s    0 /  20   0

 DC8                      11m:50s    0 /  20   0

Destination DSA     largest delta    fails/total %%   error

 DC1                      09m:13s    0 /  20   0

 DC2                      07m:54s    0 /  15   0

 DC3                      09m:59s    0 /  20   0

 DC4                      08m:48s    0 /  15   0

 DC5                      10m:10s    0 /  20   0

 DC6                      11m:57s    0 /  20   0

 DC7                      10m:03s    0 /  20   0

 DC8                      02m:33s    0 /  15   0

There are two DC’s at each of 4 sites.  The local site replication partner for this DC is DC5 and there are no errors on DC5 although there is an informational event related to the old DC which is logged intermittently:

Log Name:      Directory Service

Source:       Microsoft-Windows-ActiveDirectory_DomainService

Date:         4/16/2013 9:28:15 AM

Event ID:      1104

Task Category: Knowledge Consistency Checker

Level:        Information

Keywords:      Classic

User:         ANONYMOUS LOGON

Computer:      DC5.MyDomain.local

Description:

The Knowledge Consistency Checker (KCC) successfully terminated the following change notifications.

Directory partition:

DC=MyDomain,DC=local

Destination network address:

963562c1-fc7d-41e7-bbf9-4acc2f02b2d5._msdcs.PBJFS.local

Destination directory service (if available):

CN=NTDS Settings\0ADEL:963562c1-fc7d-41e7-bbf9-4acc2f02b2d5,CN=DC6\0ADEL:6753a055-0c0f-42de-819f-e267d9e34601,CN=Servers,CN=MySiteName,CN=Sites,CN=Configuration,DC=MyDomain,DC=local

This event can occur if either this directory service or the destination directory service has been moved to another site.

My understanding is that this can be ignored and will go away. There is no correlation between these events on DC5 and the problematic error logged on DC6 but I mention them just in case.

The final piece of information I will provide is that I have an issue with non-domain joined computers being unable to register in DNS if they get their DHCP address from Server 2008 R2 DC’s. (The DC’s all run DHCP and DNS and DNS is AD integrated.)  Two of my 8 DC’s are Server 2008 R1 including DC5. Non-domain computers that get DHCP from the Server 2008 R1 servers have their addresses registered in DNS just fine. All domain computers get their addresses registered regardless of the operating system of the DHCP server which they connect to and only non-domain computers are affected by that issue. In an attempt to remedy that situation I had recently changed my Dynamic Updates in DNS from ‘Secure Only’ to both ‘Non-Secure and Secure’ but it did not help. 

I would like to rebuild DC5 as a Server 2012 DC here pretty soon but I want to first see if I can eliminate this DNS error message from DC6. The error is logged irregularly and averages about once every 24 hours but can sometimes happen twice in a day or not at all for two days.  The original DC6 is still in use under another name and it has registered in DNS under the new name already.  I also did, in-between the demotion and promotion of the replacement DC, make sure the old DC6 had all of it's DNS entries removed and that replication had finished amongst all my DC's.  The old DC6 computer object under it's new name is no-longer in the domain controllers group and the new DC6 computer object is, just as expected.

I did try changing the DNS server IP entries for the network configuration on the DC itself but this did not help.  Currently DC6 is setup to use DC5 as primary and itself by IP as secondary (these were originally reversed but changing them has not eliminated the error).  The loopback is listed as the third DNS entry for the network config.

I have a RODC that has around 1500 lsass ESTABLISHED connections to 2 WDCs.  This RODC is the only RODC for a single site within our AD deployment.  If I run a netstat -b all these connections come back as follows:

[lsass.exe] TCP    <IP of RODC>:61366     <WDC01>:49155         ESTABLISHED
[lsass.exe] TCP    <IP of RODC>:61374     <WDC02>:49157         ESTABLISHED

There are roughly around 800 to each of the WDCs, so 800 to WDC01 and 800 to WDC02. 

All the users and computers in this RODC site are part of a group that is in the "Allow" setting for the RODC under the "Password Replication Policy" tab for the RODC in ADUC.  If I click on the Advanced button in the "Password Replication Policy" tab for the RODC all the users/computers I would expect to be listed in the "Accounts whose passwords are stored on this Read-only Domain Controller" are listed.  So I'm pretty darn sure the passwords are being cached at the RODC. 

I've done a bunch of reading about this, and the only thing I could find regarding this problem is the following hotfix:http://support.microsoft.com/kb/976449  However, this hotfix states that I should be seeing errors on the WDCs and that this should only happen with accounts that are not cachable at the RODC.  I am NOT seeing errors on the WDCs and I don't believe there are people trying to use this RODC that do not have cachable accounts.

Can anybody point me in the right direction regarding this?

Hello,
I am having AD Replication issue and really need any suggestion or help available. We have windows 2008 R2 single domain with multi-site (4) environment. For last few weeks we are having replication issue. All sites have DC that were replicating. Now no site is replicating anything from site with PDC (DC1) and couple are not replicating between them. Event error/warning 1311,1865,1566 are generating all DC's. Started getting event error 1864 today.
Here is my setting: All DC's are windows 2008 R2 (DC1/SITE1,DC2/SITE2,DC3/SITE3 AND DC4/SITE4). Site link exit between site1 & 2, site 2 &3, site 2 & 4 and site 3 & 4. Below are output of replication summery-

AT DC2:
C:\Users\rz9zwx>repadmin /replsum
Replication Summary Start Time: 2013-04-28 19:39:53

Beginning data collection for replication summary, this may take awhile:
  .......
Source DSA          largest delta    fails/total %%   error
SGPPVDCB01        13d.18h:43m:52s    5 /   5  100  (1722) The RPC server is unavailable.

Destination DSA     largest delta    fails/total %%   error
 MPGVPDCB02        13d.18h:43m:52s    5 /   5  100  (1722) The RPC server is unavailable.

Experienced the following operational errors trying to retrieve replication information:
        8341 - WARPVDCB.ipt.com
        8341 - SGSPVDCB01.ipt.com
        8341 - SGPPVDCB01.ipt.com
-------------------------------------------------------
AT DC1-

Replication Summary Start Time: 2013-04-29 15:24:50
Beginning data collection for replication summary, this may take awhile:
  .......
Source DSA          largest delta    fails/total %%   error
 MPGVPDCB02                25m:30s    0 /  15    0
 SGPPVDCB01        14d.14h:28m:49s   10 /  10  100  (2148074274) The target principal name is incorrect.
 SGSPVDCB01        14d.23h:26m:14s    5 /   5  100  (1722) The RPC server is unavailable.
 WARPVDCB          58d.16h:13m:39s    5 /   5  100  (2148074274) The target principal name is incorrect.

Destination DSA     largest delta    fails/total %%   error
MPGVPDCB02        14d.14h:28m:49s    5 /   5  100  (2148074274) The target principal name is incorrect.
SGPPVDCB01        58d.16h:13m:44s   10 /  15   66  (2148074274) The target principal name is incorrect.
SGSPVDCB01        09d.12h:10m:13s    5 /  10   50  (2148074274) The target principal name is incorrect.
WARPVDCB                  06m:17s    0 /   5    0

=====================
AT DC3-
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\RZ9ZWX>REPADMIN /REPLSUM
Replication Summary Start Time: 2013-04-30 03:28:27

Beginning data collection for replication summary, this may take awhile:
Source DSA          largest delta    fails/total %%   error
 MPGVPDCB02                04m:10s    0 /   5    0
 SGPPVDCB01        14d.14h:32m:26s   10 /  10  100  (2148074274) The target principal name is incorrect.

Experienced the following operational errors trying to retrieve replication information:
        8341 - WARPVDCB.ipt.com
        8341 - SGPPVDCB01.ipt.com

================================

AT DC4-

C:\Users\rz9zwx>REPADMIN /REPLSUM

Replication Summary Start Time: 2013-04-30 03:31:42

Beginning data collection for replication summary, this may take awhile:
Destination DSA     largest delta    fails/total %%   error
 MPGVPDCB02        14d.14h:35m:44s    5 /   5  100  (2148074274) The target principal name is incorrect.
 SGPPVDCB01        58d.16h:20m:36s   10 /  15   66  (2148074274) The target principal name is incorrect.

Experienced the following operational errors trying to retrieve replication information:
        8341 - WARPVDCB.ipt.com
        8341 - SGSPVDCB01.ipt.com

=================

I noticed that DC1's host record (A)is missing in gc._msdcs.xxx.com in DNS manager of DC2 and DC3. I added it manually in DC2 with no result. This record should have added automatically. Tried with configuration of site like with no result. Really appreciate any suggestion / help on this issue.
Thank you.

I am using csvde to extract user data from Active Directory.

One of the fields is the streetAdress.  This is fine unless there is a multiline value.

For example, putting in the following address...

1 Westham Drive
Fentonville
Virginia

returns the following within the csv file.

X'31205765737468616d2044726976650d0a46656e746f6e76696c6c650d0a56697267696e6961'

Is there a way to either get the correct output using csvde or convert this data after the extraction?

Thanks

G

I want to prevent the multilogin of the same user that means a single user can login in a machine simultaneously.

How to achieve this one ?

Regards, Hari Prasad.D

Hi

I have migrate a domain from french to english all is working well. But built-in groups and accounts in Active Directory Users and Computers remain in french.