Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DFSR not working Event_ID 6104

$
0
0

So setting up a new AD server to replace an existing but having problems getting it to sync so i can turn the old server off.

Event viewer has:

The DFS Replication service failed to register the WMI providers. Replication is disabled until the problem is resolved. 
 
Additional Information: 
Error: 2147749889 (1001)

Please note i have already tried to mofcopy and regserv32 the things in system32\wbem and this has not helped in anyway same exact error in event viewer.

Domain Controller 2016 priority not work

$
0
0

Hi Support,

We have some Windows 2008R2 DC and prompting Windows 2016 DC. We configure the "LdapSrvPriority" in registry to limit user will not contact target DC. It works on Windows 2008R2 DC. User only contact the priority 0 (by default) DC, they will not contact the higher value DC.

After we prompt a Windows 2016 DC and configure the same setting, we found that user still connect to the new 2016 DC. We checked the values is updated in the DNS already.

Do the priority setting is not available on Windows 2016 DC?

Thanks

Chong  


Steps to give permissions to a domain user to read Security, System and DNS logs of Windows 2012 servers

$
0
0

Hi All,

I need to know the basic and simple steps to give permissions to a domain user which we are using for our ArcSight connector to read logs from event viewer of Windows servers. We need to read Security, System and DNS diagnostic logs. DNS diagnostic (Analytical) logs has been enabled in the server and logs are visible in the event viewer.

Please help with some document or link which shows the necessary steps to be followed in order to read above logs (especially DNS diagnostic logs) from event viewer.

Thanks in Advance.

Regards,

Mitesh Agrawal

ADC keep asking to promote with PDC Error determining whether the target server is already a domain controller

$
0
0

Hi All,

I am having issue when I added ADC to my existing PDC, this issue started after I addedactive directory domain service role  then click on promote this server to a domain controller , I selected add a domain controller to an existing domain, specified my domain information andglobal admin account,

Then the server rebooted and but in server manager promote this server to a domain controller alert still there!

"

Error determining whether the target server is already a domain controller, the domain controller promotion completed, but the server is not advertising as a domain controller .

"

I have done multiple reboot it's not going , I could see 2 domain controllers inDomain controllersOU , when I am disabling any user account it's automatically getting the update in the 2nd server ,

I have seen many posts suggesting proceed with this error then click on cancel and reboot the server after that the issue may automatically go , unfortunately in my case this didn't happen.

here is briefly my settings :

lets assume my PDC: setting:

IP  192.168.55.2

Mask: 255.255.255.0

Default gateway: 192.168.55.5

DNS1: 127.0.0.1

DNS2: 192.168.55.3

it's Windows server standard 2012

My ADC

IP  192.168.55.3

Mask: 255.255.255.0

Default gateway: 192.168.55.5

DNS1: 127.0.0.1

DNS2: 192.168.55.2

Windows server standard 2016

FFL: Windows server 2008

DFL: Windows server 2008

Any reply or help would be highly appreciated ,


System proxy setting set to false at random interval

$
0
0

When I have enabled my proxy (for work environment), since a couple of weeks it disables the proxy at random intervals. This happens quite a lot during the day.

I have looking at the Event log and found Application Services and logs > Microsoft > Windows > WinHttp > ProxyConfigChanged logs these changes. However, there is not enough information for me to determine what is causing this.

Al the logging statement in the Event log are saying

The description for Event ID 5600 from source Microsoft-Windows-WinINet-Config cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
So I am stuck pinpointing why the proxy keeps disabling. Does anyone have any clue on where to start looking further?

Group Policy Preferences Regional Settings - Regional format Unknown Locale

$
0
0

Hi all,

We have a problem with GPO Regional settings, DC servers Windows Server 2016 standard, all workstation are Windows 10 Pro. We need to change Regional format, we make changes on GPO, force update policy, but on workstation side Regional Format is Unknown locale: Regional format > Current format: Unknown Locale (sr-RS)

We have a Dynamic NAV, and need this setting. if we change manually (Regional format > Current format: Serbian (Latin,Serbia), we dont have a problem.

Maybe the problem is 'format', windows 10 need this one: sr-latn-RS, not sr-RS. Any ideas how to resolve this?

TNX

BSOD STOP: c00002e2 Error Status: 0xc000007a windows server 2008 sp2

$
0
0

Hello Happy New Year to all!

My question has been asked before but the solutions do not apply to my problem, or at least they do not solve it.

I have a former domain controller that degraded it generated more headaches than solutions, I get the blue screen with error c00002e2 and error status 0xc000007a, I can only access through DRSM mode, in the summary of installed roles are server dns and active directory domain controller, both with red x, which makes me presume that it was not a clean dcpromo, the NTDS folder and its content is missing, does not exist in the Windows directory, but in the Windows registry appear all the parameters of NTDS.

It is not feasible to format the disk and install everything from scratch, the previous IT manager had the great idea of installing sql server and plc drivers for robots on the same server, not to mention data collection services for wireless remote desktop users, among other things.

The dism tool does not recognize it because it is Windows Server 2008.
Uninstalling the roles in both cases gives me an error.
What else can I try to lift the Server?
I'll be waiting for your answers.

Thank you in advance for your attention.

Valter


ADMT database purge

$
0
0

Hi,

I use ADMT to synchronize my production AD to a test AD.
I run ADMT tasks all the days.

I understand that this database store information about users and groups.
But it stores information about tasks executed.

And I would like to purge these informations about Tasks

I didn't find any script SQL about that !

Thank you for your help.

Ludovic.


repadmin /replsummary error 1726

$
0
0

Hi all,

everyday, to check Health DCs, i use command "repadmin /replsummary", everything is okay with no fail. One day, i have updated windows and restart, after i run command "repadmin /replsummary" again then have some errors:

Source DSA          largest delta    fails/total %%   error
 SRV1-HANU              21h:27m:30s    6 /  16   37  (1726) The remote procedure call failed.
 SRV1-ROOT                 59m:38s    0 /  14    0
 SRV2-HANU                  59m:38s    0 /  10    0
 SRV2-ROOT                 59m:38s    0 /  14    0


Destination DSA     largest delta    fails/total %%   error
 RODC-HSC                  59m:57s    0 /  20    0
 SRV1-ROOT                 11m:20s    0 /  10    0
 SRV2-HANU              21h:27m:50s    6 /  14   42  (1726) The remote procedure call failed.
 SRV2-ROOT                 12m:18s    0 /  10    0


Experienced the following operational errors trying to retrieve replication information:
          58 - SRV1-HANU.north.vbsp.vn

please check for me

Thanks!

GPMC console is very slowly opening in Domain Controller

$
0
0

Hi,

I have multiple DC in multiple Geographical region. When opening GPMC console it is taking few minutes to open.

However other domain controller in the same site GPMC console is quickly opening.

I have 240 GPO's configured in my domain. Let me know the RCA for this issue.

Domain Controller not advertized as domain controller; no sysvol, not netlogon share

$
0
0

Dear 

In the past this client had only one SBS server. About two years ago, they added a second domain controller (Windows server 2016) to the existing SBS domain.It seems that AD replication was working till last night, but SYSVOL replication never completed to the new2K16 domain controller.Since last night, the SBS domain controller is not working anymore, the only thing he’s doing is answering on a ping, nothing more.

So now we end up with two domain controllers, one SBS which is not working, and one Windows 2016 DC which is not advertising himself as a domain controller.That means that AD is completely down.

I tried to perform an authoritative restore using Burgsflag set to D4 on the 2K16 server. NTFRS is waiting for a sync to complete (which not works) before enabling sysvol and netlogon share.

I cannot force NTFRS or DFSR sync for sysvol as I can’t reach Active Directory through ADSIEdit on neither the SBS not the Windows 2016 DC.

How can we force the Windows 2016 DC to advertise himself as domain controller and enable sysvol and netlogon share and to make Active Directory services available on the 2K16 DC?

Users are not able to get access to any file, printer or application resource because there is no DC available that’s working correctly.

Thanks for the feedback.

Regards

Peter


Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

Deploying Windows Hello for Business on-premises Device registration not working

$
0
0

Hi,
Sorry for the double posting, the original thread had a kind of different question to start with. So, I'm trying to deploy Windows Hello for Business Certificate Trust on-premises in my work place. I've followed the guide for deploying the Key trust authentication, but later changed it to Certificate trust (I'm not sure I've cleaned all of the Key trust settings, since most of them are the same for both Key and Certificate. However, it seems I have a problem with the AD FS device registration. I seems the devices don't get registered, and I can't think of what I've done wrong for this to happen. I've managed to get to the point where I get "This sign-in option is only available when connected to your organization's network". And here's what "dsregcmd /status" and "dsregcmd /debug"gives me as results:

+----------------------------------------------------------------------+
| Device State                                                         |+----------------------------------------------------------------------+

             AzureAdJoined : NO
          EnterpriseJoined : YES
              DomainJoined : YES
                DomainName : <domain name>+----------------------------------------------------------------------+
| Device Details                                                       |+----------------------------------------------------------------------+

                  DeviceId : f7c113b3-18d2-4da8-baa7-45fd45431096
                Thumbprint : 756CDDBC67B7FA994A05F766F81E3A5429DACDC7
 DeviceCertificateValidity : [ 2019-12-17 10:50:34.000 UTC -- 2029-12-14 11:00:34.000 UTC ]
            KeyContainerId : 5303e1fb-1d9b-4993-a58e-b15720fdc4be
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES

+----------------------------------------------------------------------+
| Tenant Details                                                       |+----------------------------------------------------------------------+

                TenantName : 
                  TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e
                       Idp : login.windows.net
               AuthCodeUrl : https://fs.<domain name>.org/adfs/oauth2/authorize
            AccessTokenUrl : https://fs.<domain name>.org/adfs/oauth2/token
                    MdmUrl : 
                 MdmTouUrl : 
          MdmComplianceUrl : 
               SettingsUrl : 
            JoinSrvVersion : 1.0
                JoinSrvUrl : https://fs.<domain name>.org/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
             KeySrvVersion : 1.0
                 KeySrvUrl : https://fs.<domain name>.org/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://fs.<domain name>.org/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
             WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://fs.<domain name>.org/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
     DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A+----------------------------------------------------------------------+
| User State                                                           |+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State                                                            |+----------------------------------------------------------------------+

                AzureAdPrt : NO
       AzureAdPrtAuthority : 
             EnterprisePrt : NO
    EnterprisePrtAuthority : 

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |+----------------------------------------------------------------------+

        AadRecoveryEnabled : NO
               KeySignTest : PASSED

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |+----------------------------------------------------------------------+

            IsDeviceJoined : YES
             IsUserAzureAD : NO
             PolicyEnabled : YES
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : enrollment authority
          AdfsRefreshToken : NO
             AdfsRaIsReady : NO
    LogonCertTemplateReady : UNKNOWN
              PreReqResult : WillNotProvision

 
dsregcmd::wmain logging initialized.
DsrCmdJoinHelper::Join: ClientRequestId: f3eb70f9-aed9-441e-8607-eb22a2dae9f8PreJoinChecks Complete.

preCheckResult: DoNotJoin

deviceKeysHealthy: undefined

isJoined: undefined

isDcAvailable: undefined

isSystem: NO

keyProvider: undefined

keyContainer: undefined

dsrInstance: undefined

elapsedSeconds: 0

resultCode: 0x1

The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.

If you have any suggestions, what should I do, cause the Docs are good, but at certain point get a bit "for more information, check ******" again and again, and suddenly I'm with 20 tabs, can't follow where I was, and where's I'm going.

Thanks in advance.

//Edit

When I restart the device, supposed to be registered, I get the following Error log on the AD FS server "AD FS -> Admin" Event logs:

Encountered error during OAuth token request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'.
   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId)
   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()

At the machine "Aplication and services logs -> Microsoft -> Windows -> AAD -> Operational" 4 logs appear after rebooting the PC:

Http request status: 400. Method: POST Endpoint Uri: https://fs.<domain name>.org/adfs/oauth2/token Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2

OAuth response error: unauthorized_client
Error description: MSIS9605: The client is not allowed to access the requested resource.
CorrelationID: 

Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2

Logon failure. Status: 0xC000006D Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2
Any help will be appreciated. Thanks in advance.


Logon script not working with ip address

$
0
0

Hi,

my domain accounts were connecting to the domain running the logon script.

However it has stopped working without having changed anything. In case I want

to browse with the windows explorer until the bat file using the ip address then

it fails (for instance, \\192.168.0.101\sysvol  where the ip address is the dc),

But if I use the hostname of the dc it works fine(\\sdv1\sysvol).

Can anybody help me?

Thanks.

Regards.

User Authentication not working correctly

$
0
0

Hi All,

We seem to have a little issue on our Domain. Basically, when users attempt to login to the domain they should in theory login to their local DC, this is not happening. For example a user in the HQ site office would authenticate and logon to a DC in another location which could be hundreds or even thousands of miles away.

Everything in Sites & Services have been checked and are correct. Does anyone know how to trouble shoot this problem we have. I have looked in the event - security logs but I don't see anything that will lead me to a solution.

Are there any logs I can check in order to try and troubleshoot this problem.

LDAP Queries on user accounts

$
0
0
I am currently busy with a new AD structure. Basically moving accounts around, creating, re-naming, and deleting OUs, etc. There are tons of AD accounts that are being used for LDAP queries that have not been documented. Is there a way I can find out which AD accounts are linked or being used for queries by different applications? 

GPO error while doing GPUPDATE-Windows server 2012

$
0
0

ABC.COM> GPUPDATE /force
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain contro
ller. (LDAP Bind function call failed). Look in the details tab for error code and description.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access informati
on about Group Policy results.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          1/3/2020 5:41:28 PM
Event ID:      1006
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      ComputerName.xyz.com
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1006</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2020-01-03T09:41:28.607678900Z" />
    <EventRecordID>283654</EventRecordID>
    <Correlation ActivityID="{0BFFD08A-C3CB-44A6-8AE8-B6E9E511B3AC}" />
    <Execution ProcessID="1076" ThreadID="5836" />
    <Channel>System</Channel>
    <Computer Computername.xyz.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">5583</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">765</Data>
    <Data Name="ErrorCode">49</Data>
    <Data Name="ErrorDescription">Invalid Credentials</Data>
    <Data Name="DCName">
    </Data>
  </EventData>
</Event>



Arif

Strange "reset password" behavior

$
0
0

Hi there,

we have a root domain (i.e. company.de) with some subdomains (i.e. lab.company.de & prod.company.de). Our admins (they are all created in prod.company.de) have the right to reset passwords in the subdomain (lab.company.de).

When the admins are using the dsa.msc console search feature and select "Find [Users, Contacts, and Groups] in [Entire Directory]", they are not allowed to reset the password of users in die lab.company.de domain.

Error message: access denied

When the same admin uses "Find [Users, Contacts, and Groups] in [lab.company.de]", he is allowed to reset the password without any error message.

Works as design or bug? Couldn't find further informations about this strange behavior.

AD Site Link Creation

$
0
0

Hello Folks,

I've started working at a company a little over a month ago and one of my projects is cleaning up Active Directory. I resolved a bunch of replication errors and have managed to get everything syncing. I'm moving with caution but making great strides. I need to reconfigure the AD Sites & Services>Sites>Inter-Site Transports>IP>Site Links.

It looks like they tried to setup a hub and spoke using Site-A – Site-D – Site-G with the other sites hanging off their respective location's site head. Last weekend Site-D relocated to a different office and the server had hardware issues which caused it to be down for a few days. This caused Site-E & Site-F to not receive replication. The DEFAULTIPSITELINK was deleted long before I got here and there is a lot of manual creations in the NTDS Settings in the sites.

There are MPLS connections to Site-A from everywhere. Speed/connectivity is not an issue at any site. All sites connect directly to Site-A. Other sites connect to each other but not all sites are connected to all sites.

Site-A is HQ for the company and most but not all accounts are generated here. But it is critical that all DCs replicate to and from HQ for various O365 & related reasons.

The goal is to recreate the IP Site Links and have <automatically generated> connections in the NTDS Settings. So I know I will need to delete any manually created connections and force KCC to create the<automatically generated> NTDS connections after the Site Links are recreated.

How do I go about reconfiguring the Inter-Site Transports>IP>Site Links? Do I create one Site Link and add all sites to it and enable BASL? Could it be that simple because it's only one domain?

1 forest and 1 domain

10 DCs  Site-A Windows 2016 Std. All else Windows 2019 Std.

9 physical locations

Bridge All Site Links is disabled

Americas

Site-A = DC01(FSMO) & DC02

Site-B = DC03

Site-C = DC04

Europe

Site-D = DC05

Site-E = DC06

Site-F = DC07

Asia

Site-G = DC08

Site-H = DC09

Site-I = DC10

Any help is appreciated. Thanks in advance!


<style></style>

Group policy - executable from network cannot open network connection

$
0
0

Hello,
I have computers in domain environment. Regular users cannot open network connection from executable which is located on network drive.
To be more specific: I want to run WinSCP from network. Domain admin can run it without problems. Normal users get 'Network error: Invalid argument'. WinSCP support says'your domain policy is set up, not to allow connections from applications located in a certain path, such as a network share.' (https://winscp.net/eng/doc/message_network_error_invalid_argument)

I cannot find network policy which allows/denies this. Have you any idea where can I find relevant policy?

Thanks!

domain network connected vs private network connected

$
0
0

I have the following question.

I have a windows server 2012R2 with active directory installed, DNS, DHCP etc...

Connect with this server there are 2 windows 10 pc's with latest updates. Both PC's are member of the active directory.

When I go to controlpanel Windows Defender Firewall boht machines are connecte as Private Network connection. When I disconnect a PC from the directory and re-joyn this PC is shows Domain Network Connection active. After a reboot of the system it switches back to private network connection. Is ther any way to keep them at domain netword instead of private network?

Reason for this is, sometimes one of my pc's can't get network connectivity with the server.

The server is also connecte as private network connection.

Any help will be greatly apreciated. 

Viewing all 31638 articles
Browse latest View live


Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>