Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

logon failure: the target account name is incorrect

$
0
0

Hi

I am getting “logon failure: the target account name is incorrect” error when trying to add a computer to the domain

Office network runs on windows 2003 server and we have to DC both 2003. Client computers are xp and windows 7. This particular computer dropped out from the network and I removed it from the domain and trying to add this back on to the domain.

I have noticed few computers also getting random errors that they can’t access network share by name (\\servernaem\share) but they can access share by its ip (\\192.168.19.2\share) but when I restart then computer they are working fine.

I have a feeling that this is got to do with Kerbros security. I have seen few event log errors on the server they are

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date:  26/04/2013
Time:  10:17:01 AM
User:  N/A
Computer: PERTHSRV2
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server perthadmin5$.  The target name used was cifs/PERTHADMIN5.entpubperth.entertainmentbook.com.au. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (ENTPUBPERTH.ENTERTAINMENTBOOK.COM.AU), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

---------------------------------

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date:  26/04/2013
Time:  8:24:47 AM
User:  N/A
Computer: PERTHSRV2
Description:
The session setup from the computer NBDMLAP failed to authenticate. The name(s) of the account(s) referenced in the security database is NBDMLAP$.  The following error occurred:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0               "..À   

hope you can help me with this.

Thank You

Kris


Unable to delete disabled AD account with CN=ExchangeActiveSyncDevice even though inherit permissions is checked through MIIS

$
0
0
Hi Experts,

one of our clients uses MIIS to manage some of the AD users, The issue here we are facing is we are unable to delete disabled accounts which were enabled for ActiveSync and have a child object created as CN=ExchangeActiveSyncDevice. I have read other blogs with this same issue which was solved by checking "inherit permission", I have checked these users and found they already have the check mark. Also the service account used by MIIS is listed in Domain Admins group and has full control permissions on the user object. These disabled user objects can be deleted manually but when tried from MIIS it does not.

Can I have some help and pointers please.

Thank you.

Heman Gupta

Reseting the badPwdCount attribute in ldap

$
0
0

Hi,

I am trying to reset the active directory badPwdCount field but keep getting a "Server is unwilling to perform". To me it seems that this particular field is not editable. I know my PHP code works for other fields, and I have admin rights. Does someone know if there's a way to edit this field ? and if yes, how ?

if there's just no way, maybe someone knows how to check AD password for a given user using an ldap request from PHP code WITHOUT trying to do an ldap bind ?

thanks

Damaged AD

$
0
0

I don't know where to start to get my problem fixed. It all began yesterday when suddenly my secondary DC had login problem and the message was telling me to start DC in AD Restore Mode. I think there's some replication problem. Tried to demote but it says that I have to fix the replication problem first. Having no progress after troubleshooting all day, I decided to reinstall the server. But still after reinstalling there's a lot of error message in the primary and secondary DC.

We have 3 DC with Windows 2008 acting as Primary DC, Win Server 2003 and 2000 as the secondary DC. All are in separate location connected by WAN link.

Below is output from dcdiag and repadmin. Hope anyone here can help. Thank's.

DCDIAG


There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVERAAA passed test FrsEvent
Starting test: DFSREvent
......................... SERVERAAA passed test DFSREvent
Starting test: SysVolCheck
......................... SERVERAAA passed test SysVolCheck
Starting test: KccEvent
......................... SERVERAAA passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVERAAA passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVERAAA passed test MachineAccount
Starting test: NCSecDesc
......................... SERVERAAA passed test NCSecDesc
Starting test: NetLogons
......................... SERVERAAA passed test NetLogons
Starting test: ObjectsReplicated
......................... SERVERAAA passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options SERVERAAA -DISABLE_INBOUND_REPL"
[Replications Check,SERVERAAA] Outbound replication is disabled.
To correct, run "repadmin /options SERVERAAA -DISABLE_OUTBOUND_REPL"
......................... SERVERAAA failed test Replications
Starting test: RidManager
......................... SERVERAAA passed test RidManager
Starting test: Services
w32time Service is stopped on [SERVERAAA]
NETLOGON Service is paused on [SERVERAAA]
......................... SERVERAAA failed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:12:13
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:17:15
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:22:17
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:27:20
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:32:23
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Warning Event occurred. EventID: 0x8000A001
Time Generated: 04/30/2013 13:36:41
Event String:
The Security System could not establish a secured connection with th
e server ldap/Xyz.co.id/ xyz . co. id @XYZ. CO. ID. No authentication proto
col was available.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:36:41
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:37:25
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:42:27
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:47:29
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:52:31
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:55:47
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:55:58
Event String:
Driver EPSON TX111 Series required for printer !!LAURENCIUS-PC!EPSON
TX111 Series is unknown. Contact the administrator to install the driver before
you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:03
Event String:
Driver HP LaserJet Professional P1102 required for printer !!LAURENC
IUS-PC!HP LaserJet Professional P1102 is unknown. Contact the administrator to i
nstall the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:04
Event String:
Driver HP Deskjet D2500 series required for printer !!pcd-0014!HP De
skjet D2500 series is unknown. Contact the administrator to install the driver b
efore you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:05
Event String:
Driver HP Deskjet D2400 series required for printer !!PCD-0010!HP De
skjet D2400 series is unknown. Contact the administrator to install the driver b
efore you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:06
Event String:
Driver Brother MFC-J6710DW Printer required for printer Brother MFC-
J6710DW Printer is unknown. Contact the administrator to install the driver befo
re you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:07
Event String:
Driver Brother PC-FAX v.2.2 required for printer Brother PC-FAX v.2.
2 is unknown. Contact the administrator to install the driver before you log in
again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:09
Event String:
Driver HP LaserJet Professional P1102 required for printer HP LaserJ
et Professional P1102 is unknown. Contact the administrator to install the drive
r before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:10
Event String:
Driver FinePrint 5 required for printer FinePrint is unknown. Contac
t the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:11
Event String:
Driver HP Universal Printing PCL 6 required for printer HP Universal
Printing PCL 6 is unknown. Contact the administrator to install the driver befo
re you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:11
Event String:
Driver pdfFactory 2 required for printer pdfFactory Pro is unknown.
Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:12
Event String:
Driver Microsoft Office Document Image Writer Driver required for pr
inter Microsoft Office Document Image Writer is unknown. Contact the administrat
or to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 04/30/2013 13:56:14
Event String:
Driver Send To Microsoft OneNote Driver required for printer Send To
OneNote 2007 is unknown. Contact the administrator to install the driver before
you log in again.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 13:57:33
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Warning Event occurred. EventID: 0x8000A001
Time Generated: 04/30/2013 14:01:35
Event String:
The Security System could not establish a secured connection with th
e server ldap/ccc.Xyz.co.id/ xyz . co. id @XYZ. CO. ID. No authentic
ation protocol was available.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 14:02:36
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
An Error Event occurred. EventID: 0x00000406
Time Generated: 04/30/2013 14:07:38
Event String:
The processing of Group Policy failed. Windows attempted to retrieve
new Group Policy settings for this user or computer. Look in the details tab fo
r error code and description. Windows will automatically retry this operation at
the next refresh cycle. Computers joined to the domain must have proper name re
solution and network connectivity to a domain controller for discovery of new Gr
oup Policy objects and settings. An event will be logged when Group Policy is su
ccessful.
......................... SERVERAAA failed test SystemLog
Starting test: VerifyReferences
......................... SERVERAAA passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Xyz
Starting test: CheckSDRefDom
......................... Xyz passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Xyz passed test CrossRefValidation
Running enterprise tests on : Xyz.co.id
Starting test: LocatorCheck
......................... Xyz.co.id passed test LocatorCheck
Starting test: Intersite
......................... Xyz.co.id passed test Intersite

REPADMIN /SHOWREPS

Default-First-Site-Name\SERVERAAA
DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
Site Options: (none)
DSA object GUID: b1a3c462-00e1-4d06-9508-e6f35e846040
DSA invocationID: b1a3c462-00e1-4d06-9508-e6f35e846040
==== INBOUND NEIGHBORS ======================================
DC=Xyz,DC=co,DC=id
Default-First-Site-Name\SERVERSERVERCCC via RPC
DSA object GUID: 920289e6-9a2b-4ba8-8a07-16043253d697
Last attempt @ 2013-04-30 13:49:57 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
27 consecutive failure(s).
Last success @ 2013-04-01 14:46:32.
CN=Configuration,DC=Xyz,DC=co,DC=id
Default-First-Site-Name\SERVERSERVERCCC via RPC
DSA object GUID: 920289e6-9a2b-4ba8-8a07-16043253d697
Last attempt @ 2013-04-30 13:49:57 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
27 consecutive failure(s).
Last success @ 2013-04-01 14:42:24.
CN=Schema,CN=Configuration,DC=Xyz,DC=co,DC=id
Default-First-Site-Name\SERVERSERVERCCC via RPC
DSA object GUID: 920289e6-9a2b-4ba8-8a07-16043253d697
Last attempt @ 2013-04-30 13:49:57 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
27 consecutive failure(s).
Last success @ 2013-04-01 13:49:58.
Source: Default-First-Site-Name\SERVERSERVERCCC
******* 27 CONSECUTIVE FAILURES since 2013-04-01 14:46:32
Last error: 8457 (0x2109):
The destination server is currently rejecting replication requests.

Distinguish between Property Set and Attribute

$
0
0
Suppose that I have an ACE that gives ADS_RIGHT_DS_ WRITE_PROP permission to some ObjectType. The GUID in the ObjectType field could be of an Attribute or Property set. How could I distinguish between Property Set and an Attribute in the ACE? For instance, maybe the GUID for Attribute and GUID for Property Set have special prefixes...


Thanks!


How to create and add a new user to existing group in Active Directory via Java client

$
0
0

I am a beginner and I try to implement client in Java for Active Directory. I would like to create and add a new user to AD. So far, I have written the following code:

import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

public class NewUser {

    public static void main(String[] args) {
        NewUser user = new NewUser("aaa", "bbb", "ccc", "mypass", "orgunit");
        try {
            System.out.print(user.addUser());
        } catch (NamingException e) {
            e.printStackTrace();
        }
    }

    private static final String DOMAIN_NAME = "xyz.xyz";
    private static final String DOMAIN_ROOT = "abc.xyz.xyz"; // ?
    private static final String ADMIN_NAME = "CN=Administrator,CN=Users,DC=xyz,DC=xyz";
    private static final String ADMIN_PASS = "xxxxxxx";
    private static final String DOMAIN_URL = "ldap://xxx.xxx.xx.xx:389";


    private String userName, firstName, lastName, password, organisationUnit;
    private LdapContext context;

    public NewUser(String userName, String firstName, String lastName,
                   String password, String organisationUnit) {

        this.userName = userName;
        this.firstName = firstName;
        this.lastName = lastName;
        this.password = password;
        this.organisationUnit = organisationUnit;

        Hashtable<String, String> env = new Hashtable<String, String>();

        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

        // set security credentials, note using simple cleartext authentication
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, ADMIN_NAME);
        env.put(Context.SECURITY_CREDENTIALS, ADMIN_PASS);

        // connect to my domain controller
        env.put(Context.PROVIDER_URL, DOMAIN_URL);
        try {
            this.context = new InitialLdapContext(env, null);
        } catch (NamingException e) {
            System.err.println("Problem creating object: ");
            e.printStackTrace();
        }
    }

    public boolean addUser() throws NamingException {

        // Create a container set of attributes
        Attributes container = new BasicAttributes();

        // Create the objectclass to add
        Attribute objClasses = new BasicAttribute("objectClass");
        objClasses.add("top");
        objClasses.add("person");
        objClasses.add("organizationalPerson");
        objClasses.add("user");

        // Assign the username, first name, and last name
        String cnValue = new StringBuffer(firstName).append(" ").append(lastName).toString();
        Attribute cn = new BasicAttribute("cn", cnValue);
        Attribute sAMAccountName = new BasicAttribute("sAMAccountName", userName);
        Attribute principalName = new BasicAttribute("userPrincipalName", userName+ "@" + DOMAIN_NAME);
        Attribute givenName = new BasicAttribute("givenName", firstName);
        Attribute sn = new BasicAttribute("sn", lastName);
        Attribute uid = new BasicAttribute("uid", userName);

        // Add password
        Attribute userPassword = new BasicAttribute("userpassword", password);

        // Add these to the container
        container.put(objClasses);
        container.put(sAMAccountName);
        container.put(principalName);
        container.put(cn);
        container.put(sn);
        container.put(givenName);
        container.put(uid);
        container.put(userPassword);

        // Create the entry
        try {
            context.createSubcontext(getUserDN(cnValue, organisationUnit), container);
            return true;
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    private static String getUserDN(String aUsername, String aOU) {
        return "cn=" + aUsername + ",ou=" + aOU + "," + DOMAIN_ROOT;
    }
}

And there is the following error:

javax.naming.InvalidNameException: Invalid name: cn=bbb ccc,ou=orgunit,abc.xyz.xyz; remaining name 'cn=bbb ccc,ou=orgunit,abc.xyz.xyz' at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:86) at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:49) false at javax.naming.ldap.LdapName.parse(LdapName.java:772) at javax.naming.ldap.LdapName.(LdapName.java:108) at com.sun.jndi.ldap.LdapCtx.addRdnAttributes(LdapCtx.java:902) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:783) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:178) at NewUser.addUser(NewUser.java:98) at NewUser.main(NewUser.java:17) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)

Anyone can help me? I have spent long time ti fix it but it still does not work.

Thank you in advance

dcpromo remove dc failed

$
0
0

I'm banging my head here with this one. I'm attempting to demote a dc. It does not hold any fsmo roles. During the demotion I get the following error

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          4/30/2013 3:46:22 PM
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      CLEDC01.na.int-bn.com
Description:

Ownership of the following FSMO role is set to a server which is deleted or does not exist.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=int-bn,DC=com
FSMO Server DN: CN=NTDS Settings\0ADEL:2c0d9858-bc90-4f7b-855c-14679708327a,CN=BN01\0ADEL:6439b4e8-a515-4d76-abaf-420a6dcb8c8d,CN=Servers,CN=COL,CN=Sites,CN=Configuration,DC=int-bn,DC=com
 
User Action:
 
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently.  If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 onhttp://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="32768">2091</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>5</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-30T19:46:22.183617700Z" />
    <EventRecordID>27955</EventRecordID>
    <Correlation />
    <Execution ProcessID="476" ThreadID="4040" />
    <Channel>Directory Service</Channel>
    <Computer>CLEDC01.na.int-bn.com</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>CN=Infrastructure,DC=ForestDnsZones,DC=int-bn,DC=com</Data>
    <Data>CN=NTDS Settings\0ADEL:2c0d9858-bc90-4f7b-855c-14679708327a,CN=BN01\0ADEL:6439b4e8-a515-4d76-abaf-420a6dcb8c8d,CN=Servers,CN=COL,CN=Sites,CN=Configuration,DC=int-bn,DC=com</Data>
  </EventData>
</Event>

The server in question is a server that at one point was a DC but was demoted years before this DC was even joined to domain.  I have no issues demoting a 2003 DC this seems to only be on this or maybe other 2008 DC's.

I checked out this link http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/72640045-616b-4b6c-8fc4-e30dd8463402/ and but i'm not sure the best approach here. I'm not sure if I should try this script or just force remove.

A netdom command shows all the FSMO roles that are current. Not sure what else to try to take this out gracefully.

Thanks

RS 

How to recover an AD without having any backup - and the only DC is gone

$
0
0

Hi everybody. So this is the scenario. The only DC (windows 2008) is gone. definitely, raid5 array with two broken disks - at the same time.

Backup of all important data --- but not any single backup of system state or anything about AD.

Now i have 10 clients machines (all joined to the domain) and a new server is coming on Thursday. But how doing it - fast and secure?

I know i cannot simply set up the new machine with the same name, domain, ad name, cause it won't work.

What can i do else?

Thank you!


Event ID 10154

$
0
0
I receive the event ID 10154 the WinRM service failed to create the following SPNs: wsman, on several servers in my domain. the event shows up on domain controllers, and member servers.  I have seen several solutions for this warning, however my question is should I try to resolve this.  Teh event only happens after the server has been rebooted.  the Domain controllers are running Server 2008 sp2, and all the other member servers are running Server 2008 sp2, except for one which is running Server 2008 R2 sp1.  The domain functional level is 2003.

AD FS Server Placement

$
0
0

Hello

Can anyone tell me if AD FS server and AD FS Proxy server 2.0 can be co-located on another server or must it be installed on its own sever?

Is there an official MS link to the answer as I cannot seem to find one?

Thanks 

DFSRDIAG - Problem running command

$
0
0

Hi!

When I run dfsrdiag on my Windows 2008 R2 SP1, I get the following:

DFSRDIAG - <Missing String>
  SyncNow           - <Missing String>
  StopNow           - <Missing String>
  PollAD            - <Missing String>
  DumpAdCfg         - <Missing String>
  DumpMachineCfg    - <Missing String>
  StaticRPC         - <Missing String>
  Backlog           - <Missing String>
  GUID2NAME         - <Missing String>
  PropagationTest   - <Missing String>
  PropagationReport - <Missing String>
  FileHash          - <Missing String>
  IDRecord          - <Missing String>
  ReplicationState  - <Missing String>

 

If I run the same command on a working server, it returns:

DFSRDIAG - DFS Replication operational and diagnostics command line utility
  SyncNow           - Forces replication over a given connection; ignore
                      schedule for n minutes
  StopNow           - Stop replication over a given connection; ignore
                      schedule for n minutes
  PollAD            - Trigger a sync with the global information store in
                      Active Directory Domain Services
  DumpAdCfg         - Dump AD configuration settings pertaining to a certain
                      member
  DumpMachineCfg    - Dump service-wide configuration of a given server
                      hosting the DFS Replication service
  StaticRPC         - Set static RPC port for DFS Replication
  Backlog           - Display the backlog of replication data to send from
                      one replication group member to another replication
                      group member
  GUID2NAME         - Translate GUIDs to user friendly names
  PropagationTest   - Test replication progress by dropping a test file under
                      replicated folder
  PropagationReport - Generate a tracking report for the replication progress
                      of the propagation test file
  FileHash          - Displays a hash value identical to that computed by the
                      DFS Replication service for the specified file or
                      folder
  IDRecord          - Displays the contents of a replicated file's ID record
  ReplicationState  - Displays the updates that are currently being
                      transferred on inbound and outbound connections

Does anybody know how can I fix it please?

regards,

Marcos


Marcos Chamma Brazil

ldp - bind with credentials fails on instance of AD LDS

$
0
0

I have a stand alone instance of LDS running on a machine that is not part of a domain.  I am running ldp.exe on the same machine.  When I use ldp.exe to do a simple bind with credentials (using my DN), I get the following error:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3

{NtAuthIdentity: User='CN=MrX,CN=Users,O=Microsoft,C=US'; Pwd=<unavailable>; domain = ''}

Error <82>: ldap_bind_s() failed: Local Error.

Server error:

Also, the Bind dialog box does ask for a domain which I leave blank because the machine is not on a domain.

-----------

If I try to do a simple bind with credentials (using the name of the user, MrX) I get the following error:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3

{NtAuthIdentity: User='MrX'; Pwd=<unavailable>; domain = ''}

Error <49>: ldap_bind_s() failed: Invalid Credentials.

Server error: 80090308: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 57, v1db0

Error 0x80090308 The token supplied to the function is invalid

-----------

I can do a simple bind without a pw for a successful anonymous login.

I can do a simple bind with a pw  for a successful authentication as my DN.

How can I bind with credentials? and how is this different than a simple bind (where I also enter pw)?

Thanks

clarification of how to configure a firewall for an external trust relationship

$
0
0

See last paragraph for main question...
This article http://support.microsoft.com/kb/179442#method2 lists the ports that need to be open "for domains and trusts", but it's not clear to me which machines need to access which services. Take for example, domainA.net on network A has an outgoing one-way external trust to domainB.net on network B, networks separated by a firewall, even if I identify which of the mentioned services is running on each domain controller and each resource hosting machine on network/domain A (trusting domain), which computers in network/domain B need to access those services?

I can understand that if I have a file share in domain A, I need to create a firewall allowance of inbound to ShareHost.DomainA.net 445/TCP from any computer in network B 1024-65535/TCP. But to access that file share, which computers need to also access a domain controller and which ports/services on the domain controller? Does my sharing host need to access the domain controllers on DomainB.net in order to setup permissions to users there and service file requests?

Even just talking about domain controllers, I wouldn't think that I should need to allow anything from network B to access the port 445/TCP on any domain controller of domain A, right? What about the other services? (assuming servers could be Windows Server 2003/R2 or Server 2008 R2 and clients could by those server verions or Windows XP or 7)
W32Time - no
RPC Endpoint Mapper - ?
kerberos password change - no?
RPC for LSA, SAM, Netlogon - just domain controllers on domain B or all computers?
LDAP - just domain controllers on domain B or all computers?
LDAP GC - just domain controllers on domain B or all computers?
DNS - I guess I can just restrict that to other DNS servers and use recursion anyway
FRS RPC - file replication service, that won't be needed by anything
Kerberos - ?
DFSR RPC - no
FRS RPC - no

So, does anyone have any suggestions here? Is that article really going to help me or do I need to know the intimate details of every protocol and interaction in order to configure a firewall? How is this usually done? Just allow anything of port 1024 and up to access anything in both directions and allow anything going to the other ports to the servers hosting those services from anything?

Thanks to anyone who can make this simple.

Windows server 2012 active directory replication

$
0
0

Hello,

I have 2 windows 2012 server with active directory replication

server A is parent server

server B is secondary server (gets update from server A)

So my question is if server A dies due to hardware failure or whatever the reason then am I going to loose active directory info like users etc? or I can transfer all the info from server B to server A? I think I will loose everything from server B because server B replicates info from server A and if server A has brand new data then server B will also have brand new data?

Please advice me

Thanks

Rename Rootless Forest?

$
0
0

I am looking for information on renaming (or migrating) from a rootless forest. I have a client with a root forest simply called "domain" instead of "domain.local"
All FQDNs are then formed: server1.domain server2.domain and so on. Can I rename the root forest to "domain.local" or will this require a domain migration to a forest that was setup with a proper root domain name? There are no subdomains just one forest that is the single dns and AD domain.


Cannot determine cause of Event ID 7062

$
0
0

I've been having a problem for quite some time with multiple Event 7062 errors and cannot determine what I've done to cause the problem.  I've searched through the forums but I'm obviously missing something.  I'm stuck and could really use some help.

My setup is pretty simple: 1 domain, 2 domain controllers running Windows Server 2008 R2 Enterprise

Error Details:
Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          4/30/2013 7:31:35 AM
Event ID:      7062
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      asdstldc1.asdsoftware.com
Description:
The DNS server encountered a packet addressed to itself on IP address 192.168.0.34. The packet is for the DNS name "asdsoftware.com.". The packet will be discarded. This condition usually indicates a configuration error.
 
Check the following areas for possible self-send configuration errors:
  1) Forwarders list. (DNS servers should not forward to themselves).
  2) Master lists of secondary zones.
  3) Notify lists of primary zones.
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server.
  5) Root hints.
 
Example of self-delegation:
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
  (bar.example.microsoft.com NS dns1.example.microsoft.com)
  -> BUT the bar.example.microsoft.com zone is NOT on this server.
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record.
 
You can use the DNS server debug logging facility to track down the cause of this problem.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
    <EventID Qualifiers="32768">7062</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-30T12:31:35.000000000Z" />
    <EventRecordID>2824</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>DNS Server</Channel>
    <Computer>asdstldc1.asdsoftware.com</Computer>
    <Security />
  </System>
  <EventData Name="DNS_EVENT_SELF_SEND">
    <Data Name="param1">192.168.0.34</Data>
    <Data Name="param2">asdsoftware.com.</Data>
    <Binary>50250000</Binary>
  </EventData>
</Event>

IP Config Information:
C:\Users\asd_admin>ipconfig /allcompartments /all

Windows IP Configuration


==============================================================================
Network Information for Compartment 1 (ACTIVE)
==============================================================================
   Host Name . . . . . . . . . . . . : asdstldc1
   Primary Dns Suffix  . . . . . . . : asdsoftware.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : asdsoftware.com

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #86
   Physical Address. . . . . . . . . : 00-19-B9-ED-6D-76
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fd52:e3bb:47b2:221f%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.34(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.238
   DHCPv6 IAID . . . . . . . . . . . : 369105337
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-C4-03-7A-00-19-B9-ED-6D-74
   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.0.34
                                       192.168.0.37
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{76AA76EB-8820-41E1-B1E1-9CFBA0A3290F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

DCDIAG Results:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine asdstldc1, is a Directory Server.
   Home Server = asdstldc1

   * Connecting to directory service on server asdstldc1.

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=ASDSTLDC1,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=ASDSTLDC3,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 2 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

  
   Testing server: ASDSTL\ASDSTLDC1

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... ASDSTLDC1 passed test Connectivity

 

Doing primary tests

  
   Testing server: ASDSTL\ASDSTLDC1

      Starting test: Advertising

         The DC ASDSTLDC1 is advertising itself as a DC and having a DS.
         The DC ASDSTLDC1 is advertising as an LDAP server
         The DC ASDSTLDC1 is advertising as having a writeable directory
         The DC ASDSTLDC1 is advertising as a Key Distribution Center
         The DC ASDSTLDC1 is advertising as a time server
         The DS ASDSTLDC1 is advertising as a GC.
         ......................... ASDSTLDC1 passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         ......................... ASDSTLDC1 passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         Skip the test because the server is running FRS.

         ......................... ASDSTLDC1 passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... ASDSTLDC1 passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... ASDSTLDC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=ASDSTLDC3,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=ASDSTLDC3,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=ASDSTLDC3,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=ASDSTLDC3,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=ASDSTLDC3,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com
         ......................... ASDSTLDC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC ASDSTLDC1 on DC ASDSTLDC1.
         * SPN found :LDAP/asdstldc1.asdsoftware.com/asdsoftware.com
         * SPN found :LDAP/asdstldc1.asdsoftware.com
         * SPN found :LDAP/ASDSTLDC1
         * SPN found :LDAP/asdstldc1.asdsoftware.com/ASD_NT
         * SPN found :LDAP/2cb07e4d-a57b-479b-8183-f4d9b2ca44a0._msdcs.asdsoftware.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/2cb07e4d-a57b-479b-8183-f4d9b2ca44a0/asdsoftware.com
         * SPN found :HOST/asdstldc1.asdsoftware.com/asdsoftware.com
         * SPN found :HOST/asdstldc1.asdsoftware.com
         * SPN found :HOST/ASDSTLDC1
         * SPN found :HOST/asdstldc1.asdsoftware.com/ASD_NT
         * SPN found :GC/asdstldc1.asdsoftware.com/asdsoftware.com
         ......................... ASDSTLDC1 passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC ASDSTLDC1.
         * Security Permissions Check for

           DC=DomainDnsZones,DC=asdsoftware,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=ForestDnsZones,DC=asdsoftware,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=asdsoftware,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=asdsoftware,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=asdsoftware,DC=com
            (Domain,Version 3)
         ......................... ASDSTLDC1 passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\ASDSTLDC1\netlogon
         Verified share \\ASDSTLDC1\sysvol
         ......................... ASDSTLDC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ASDSTLDC1 is in domain DC=asdsoftware,DC=com
         Checking for CN=ASDSTLDC1,OU=Domain Controllers,DC=asdsoftware,DC=com in domain DC=asdsoftware,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=ASDSTLDC1,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com in domain CN=Configuration,DC=asdsoftware,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... ASDSTLDC1 passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=DomainDnsZones,DC=asdsoftware,DC=com
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=ForestDnsZones,DC=asdsoftware,DC=com
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=asdsoftware,DC=com
               Latency information for 10 entries in the vector were ignored.
                  10 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=asdsoftware,DC=com
               Latency information for 10 entries in the vector were ignored.
                  10 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=asdsoftware,DC=com
               Latency information for 10 entries in the vector were ignored.
                  10 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
         ......................... ASDSTLDC1 passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 8109 to 1073741823
         * ASDSTLDC3.asdsoftware.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4609 to 5108
         * rIDPreviousAllocationPool is 4609 to 5108
         * rIDNextRID: 4673
         ......................... ASDSTLDC1 passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
            Invalid service type: w32time on ASDSTLDC1, current value

            WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

         * Checking Service: NETLOGON
         ......................... ASDSTLDC1 failed test Services

      Starting test: SystemLog

         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... ASDSTLDC1 passed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=ASDSTLDC1,OU=Domain Controllers,DC=asdsoftware,DC=com and backlink

         on

         CN=ASDSTLDC1,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com

         are correct.
         The system object reference (serverReferenceBL)

         CN=WIN-8M339CI5M1I,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=asdsoftware,DC=com

         and backlink on

         CN=NTDS Settings,CN=ASDSTLDC1,CN=Servers,CN=ASDSTL,CN=Sites,CN=Configuration,DC=asdsoftware,DC=com

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=WIN-8M339CI5M1I,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=asdsoftware,DC=com

         and backlink on

         CN=ASDSTLDC1,OU=Domain Controllers,DC=asdsoftware,DC=com are correct.
         ......................... ASDSTLDC1 passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

  
      Test omitted by user request: DNS

      Test omitted by user request: DNS

  
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

  
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

  
   Running partition tests on : asdsoftware

      Starting test: CheckSDRefDom

         ......................... asdsoftware passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... asdsoftware passed test CrossRefValidation

  
   Running enterprise tests on : asdsoftware.com

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\asdstldc1.asdsoftware.com

         Locator Flags: 0xe00033fc
         PDC Name: \\ASDSTLDC3.asdsoftware.com
         Locator Flags: 0xe00031f9
         Time Server Name: \\asdstldc1.asdsoftware.com
         Locator Flags: 0xe00033fc
         Preferred Time Server Name: \\asdstldc1.asdsoftware.com
         Locator Flags: 0xe00033fc
         KDC Name: \\asdstldc1.asdsoftware.com
         Locator Flags: 0xe00033fc
         ......................... asdsoftware.com passed test LocatorCheck

      Starting test: Intersite

         Skipping site ASDSTL, this site is outside the scope provided by the

         command line arguments provided.
         ......................... asdsoftware.com passed test Intersite

 

Please let me know if there are any additional details/tests that I can provide. I greatly appreciate your time,

John

After diabling disabling LM and NTLM via GPO had mass account lockouts, rolled back but need help understanding why

$
0
0

Hi All

We have a Windows 2008R2 domain, We configured a GPO to apply to all PC's / Servers and DC's to configure the below as we had a penertration test done and this was advised

Network security: LAN Manager authentication level to Send NTLMv2 response only\refuse LM & NTLM

We did an audit an only see a couple of servers that would be effected so we mitigated that, however when we actually rolled this out we had over a 1000 account lockouts constantly from people using windows XP SP3.

We eventually rolled back and got back to a stable service levels however now we are looking at why this happened, so far we believe its due to external trust relationships, we have multiple customers on our domain as we are a shared service, it seems the only customers that were impacted were the 2 who access resources in a trusting domain, one customer has Exchange mailboxes ina legacy exchange 2003 domain and another just accesses flat data in another domain.

My main questions are -

If the trusts are external trusts do you have to use LM and NTLM or can you soley use NTMLv2

If users on Windows 7 machines were able to access resources over trusts fine then whats the difference with Win xp SP3

Thanks

Amending existing User Account Attributes...

$
0
0

Hi,

I have been asked to create an automated process to update Active Directory user attributes with data from the Oracle HR database.

I've successfully dumped out the Oracle information to CSV format and the Active Directory to CSV. I've also managed to perform a VLOOOKUP to merge the two to make a Master file ready for the import. The issue I'm having is getting the Master CSV imported into AD so we can update certain attributes (title, EmployeeID, telephone etc.).

I know that I cannot use CSVDE and LDIFDE to amend EXISTING user accounts so I've started looking at Powershell to facilitate the import. I am still struggling to get the data import done...I've noticed that the Quest cmdlet "QAD-USER" may be able to update existing User objects in AD. Does anyone have some experience of using QAD-USER (or any other process) for importing and overwriting user account attributes in AD from a source CSV file.?

Configuring MEMBER SERVER

$
0
0

This is ABDUL MATEEN,

am using VMware-workstation-6.0.4-93057. in that I installed two Virtual Machines, I can communication two machines with the command PING. when am going to configuring MEMBER SERVER , its asking PHYSICAL  CONNECTIVITY. what am asking, how to clear this error and how to configure  . please give me a response as soon as possible . 

Thanking you,

Regards ,

ABDUL MATEEN,

HYDERABAD.

PH: 9440229202.....

Group membership and memberof information

$
0
0

Hey Folks,

I know how to get the membership information of security group from active directory.what  I am looking is a script that will query a particular OU  get all the security groups in Active directory and  reports members and memberof information of that particular security group and  export into excelsheet

Below script  will report the members information not memberof information

 $a =Get-ADGroup -Filter '*' | select-object * | where-object {$_.distinguishedname -like "*,OU=ROLES,*"}

$a |%{$_.name;Get-ADGroupMember $_.name}


Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>