Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

application request LDAP dont work after upgrade schema

$
0
0

Hi all,

We have 2008 R2 AD controller, we installed 2019 server as a AD controller and we upgrade the schema.

Most of application using LDAP request stop working.

example of error :

javax.naming.PartialResultException: Unprocessed Continuation Reference...

i see that, we must change port 389 to 3268 GC...

My question : How we must do to continue to use 389 port without changing any thing in the application, and accept referral mode in LDAP?

why that work good before and not work fine now?



Computer account behaviour if it enabled after 50 days

$
0
0

I have set up a script that disable computer account if it is not used in 90 days.Here my query is , if i enabled that account after was disabled 50 days before then what will be computer account behaviour.

Whether it will be giving an error or we will be able to login successfully ?

Adding machine to AD Domain.

$
0
0

Hello,

We are trying to add a windows 10 with winver 1809 machine to AD Domain.

Adding the machine to domain is successful but the domain root certificate is NOT getting added toMMC -> Certificates -> Trusted Root Certificate Authorities.

Can anybody please help us to know why/what might be blocking the addition of domain certificate.

With best regards.



Domain Controller Not Working Properly

$
0
0

Our company infrastructure is below .

Server Name

Operating System

Server Role

CORPDC01.pooja.com

Win 2008 R2

RollOver DC

RODC02.pooja.com

Win 2008 R2

RollOver DC

RODC01.pooja.com

Win 2012 R2

RollOver DC

ADC03.pooja.com

Win Server 2012 R2

RollOver DC

PrimDC01.pooja.com

Win server 2008 R2

Primary DC

ADC01.pooja.com

Win server 2012 R2

Additional DC

ADC02.pooja.com

Win server 2012 R2

Additional DC

ADC03.pooja.com

Win server 2012 R2

Additional DC

Exchange01.pooja.com

Win Server 2008 R2

Exchange Mailbox + CAS

Exchange02.pooja.com

Win Server 2008 R2

Exchange Mailbox + CAS

Exchange03.pooja.com

Win Server 2008 R2

Exchange Mailbox + CAS

Few days ago . Our Primary Domain Controller named "PrimDC01.pooja.com" becomes hangs . Upon forcefully shutdown and then start , it stopped functioning properly .While check , we observed that FSMO roles were transferred to additional DC  named "ADC01.pooja.com".After that we can add/remove users successfully in AD . Join workstations to AD successfully , however while joining any new Win Server 2008 R2 , its not joining to AD.  DNS is not updating/adding records of newly joined workstations .

Exchange Server DAG is not connecting. Cluster Nodes are not communicating with each other. Throwing error of 'authentication problem'.

Emails flow stopped. No email send /receive .

We run AD health check and got this result .

Active Directory Health Check Result

Identity

PingSTatus

NetlogonService

NTDSService

DNSServiceStatus

NetlogonsTest

ReplicationTest

ServicesTest

AdvertisingTest

FSMOCheckTest

CORPDC01.pooja.com

Success

Running

Running

Running

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckPassed

RODC02.pooja.com

Success

Running

Running

Running

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckPassed

RODC01.pooja.com

Success

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckFail

ADC03.pooja.com

Success

Running

Running

Running

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckPassed

PrimDC01.pooja.com

Success

Running

Running

Running

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckPassed

ADC01.pooja.com

Success

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckFail

ADC02.pooja.com

Success

Running

Running

Running

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckPassed

ADC03.pooja.com

Success

Running

Running

Running

NetlogonsFail

ReplicationsFail

ServicesFail

AdvertisingFail

FSMOCheckPassed

Result of netdom query fsmo command on "PrimDC01.pooja.com" is

List of domain controllers with accounts in the domain:

Access is denied.

The command failed to complete successfully.

Result of netdom query fsmo command on "ADC01.pooja.com" is

Schema master               ADC01.pooja.com
Domain naming master    ADC01.pooja.com
PDC                         ADC01.pooja.com
RID pool manager            ADC01.pooja.com
Infrastructure master       ADC01.pooja.com
The command completed successfully.

Result of nslookup command on "ADC01.pooja.com" is

DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  172.20.4.29

Can any one here guide me whats wrong here and how can I handle this issue. Trying to restore thePrimDC01.pooja.com server with lastavailable system state backup , but restore fails . Now I am stuck what to do  ?

We have run AD Health Check on "ADC01.pooja.com" below is the result

Active Directory Health Check
IdentityPingSTatusNetlogonServiceNTDSServiceDNSServiceStatusNetlogonsTestReplicationTestServicesTestAdvertisingTestFSMOCheckTest
ADC02.pooja.comSuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
RODC02.pooja.comSuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
ADC03.pooja.comSuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
CORPDC01.pooja.comSuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
RODC03.pooja.comSuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed
RODC01.pooja.com
SuccessRunningRunningRunningNetlogonsPassedReplicationsPassedServicesPassedAdvertisingPassedFSMOCheckPassed

Excahnge Server Problem Summary:

3Node DAG Cluster 

- Node 1

Exchange01.pooja.com


- Node 2

Exchange02.pooja.com


- Node 3

Exchange03.pooja.com


Issue facing:

- Cluster having issue (The Cluster network name is not online)
- RPC Server service not responding
- DAG malfunctioning
- Databases are down 
- Outlook prompting for UID and PW from all users
- Trust relation issue on 1 Node as it gets restarted. Other two nodes are able to login through domain as they not restarted after the incident. 

Remove AD Trusts

$
0
0

Hello guys,

I am a PS scripting newbee guy :-(

I want to get all the AD Trusts between my root domain and my child domains. I found this :
$GetList = (Get-ADTrust -Filter *).Name
The result is this :
Trust1
Trust2

How can I say : for each Trust remove ?

Thank you

get user ad with computer name and OS

$
0
0

hello ,

I have a list of active directory users and i want to know their computers and the system operation for theses computers .I dont have SCCM to do that .So im lookuing for a script please 

Regards

dcdiag /q, Missing Expected Value, Q312862

$
0
0

I am working on a Windows 2012 Active Directory which has a single domain controller. Our goal is to migrate to Windows 2019 Active Directory. Our first step was to run `dcdiag /q` which outputted:

PS C:\Users\Administrator> dcdiag /q
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... DC_PRIMARY failed test DFSREvent
         Some objects relating to the DC DC_PRIMARY have problems:
            [1] Problem: Missing Expected Value
             Base Object:
            CN=NTDS Settings,CN=DC_PRIMARY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=<domainname>,DC=local
             Base Object Description: "DSA Object"
             Value Object Attribute Name: serverReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            [1] Problem: Missing Expected Value
             Base Object: CN=DC_PRIMARY,OU=Domain Controllers,DC=<domainname>,DC=local
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: msDFSR-ComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

         ......................... DC_PRIMARY failed test VerifyReferences


The KB Q312862 was not helpful and does not apply to Windows Server 2012.

Please, I need help resolving this error.

How to restore deleted sites and subnets

$
0
0

Hi All,

Wrongly i have deleted few sites and subnets. I want to restore those sites and subnets. Can i restore from system state backup?. How i can restore it?

Thanks in advance


Replication issue between the Sites DCs

$
0
0

Hi Guys, we have a domain and two sites, one head office and a branch in different City. Head office has two DC as DC1 and DC2 on Windows 2008 R2 and also a DC3 in branch Windows 2008 R2. now the issue is there is no replication between branch and head office, once dig into the issue found KCC events. the scenario as follows.

VPN link is ok between the sites.

DCs can ping each other with IP and Names.

net view \\DC1 and net view \\DC2 is fine as vise versa

But  net view \\DC1 or \\DC2 from Brach office DC3 is showing errors. its like cant access shared folders from Branch office and also from Head office DC to branch.

The attempt to establish a replication link for the following writable directory partition failed. 
 
Directory partition: 
DC=Domain,DC=com 
Source directory service: 
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Headoffice,CN=Sites,CN=Configuration,DC=Domain,DC=com 
Source directory service address: 
k826e336-99a7-4g2d-bdab-113db2a0f5f6._msdcs.domain.com 
Intersite transport (if any): 
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Domain,DC=com
 
This directory service will be unable to replicate with the source directory service until this problem is corrected. 
 
User Action 
Verify if the source directory service is accessible or network connectivity is available. 
 
Additional Data 
Error value: 
1722 The RPC server is unavailable.

Azure AD pass-through authentication

$
0
0
Hi,

I currently use ADFS for SSO authentication.

The screen that appears for external users is a popup window for entering user and password.

When we change to (Azure AD pass-through authentication) which screen will be presented to external users?

Internal users will continue to log in SSO already logged into the internal network, right? Just include the site in the IE GPO as it is done in ADFS.

Can someone show me the screen that appears when the external user connects to the O365 portal using Azure AD pass-through authentication?

Thanks.

After updating Exchange 2016 to latest CU 15, having major DNS errors!

$
0
0

Hello All,

I have a network that was upgrading their Exchange to the latest CU 15. During the upgrade the process stopped around 98%.  They rebooted the servers(Exchange 2016, PDC running CA and a secondary DC running DNS) and when they came back up there were major issues. The first and foremost is(I think) an RPC error 1722 between the PDC and the secondary DC. I have run all the dcdiag tests along with dtcping and each shows the RPC error 1722. This is where it gets interesting. Most of the tests will come back that they have passed(except for the 1722 error). After digging into the system for the day I found that the security settings for the secondary as well as the primary DNS servers are showing SIDs for about half of their accounts.  The on site Enterprise CA is not working with RPC server unavailable errors. The on-premise Exchange 2016 server will not boot due to this issue either. Under Server manager when trying to access the other DC I receive"target not accessible" error message. There are DCOM 10028 errors about connecting to the other servers(unable to communicate using any of the configured protocols). It looks like the DC1(which is the PDC-Em) holds the RID/PDC/Infra roles(according to itself) when looked at from the ADU&C snap-in. On DC2 it shows unknown for each. 

1: the last event viewer entries show DC 1&2 that Active directory Web Service is servicing the directory instance as GC, LDAP & SSL.

2: DFSR is showing 1727 on each DC. It reported that the last time it worked was about noon today.

3: Port Query shows port 135 (epmap) listening on both servers. It lists 120+ endpoints for each server.
4: DNS was/is signed. I can remove from DC1 dns and reapply, but not from DC2(I tried to remove and transfer the Key Master role to no avail. 

5: I have tried to reset the machine and user account passwords.

What am I missing???

 


Devin

Delegation not working (Helpdesk users to unlock admin user's Accounts (customized without domain admin))

$
0
0

Hi,

We have a requirement where a security group of helpdesk users is required to unlock admin accounts. I understand if the user is member of domain admin account than it is not possible to delegate the permission to reset/unlock his/her account by a helpdesk user.

However, in out case most of the admin users are not member of domain admins and when we delegate the rights to helpdesk group to be able to "Read LockoutTime" and "Write LockoutTime", helpdesk is able to unlock normal users but not able to unlock admin accounts (customized power users)

Can you please highlight on how this works and what I am missing here...

Referenced Links...

https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700835(v=technet.10)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)?redirectedfrom=MSDN


Junaid Abrar

Replication issue between the Sites DCs

$
0
0

Hi Guys, we have a domain and two sites, one head office and a branch in different City. Head office has two DC as DC1 and DC2 on Windows 2008 R2 and also a DC3 in branch Windows 2008 R2. now the issue is there is no replication between branch and head office, once dig into the issue found KCC events. the scenario as follows.

VPN link is ok between the sites.

DCs can ping each other with IP and Names.

net view \\DC1 and net view \\DC2 is fine as vise versa

But  net view \\DC1 or \\DC2 from Brach office DC3 is showing errors. its like cant access shared folders from Branch office and also from Head office DC to branch.

The attempt to establish a replication link for the following writable directory partition failed. 
 
Directory partition: 
DC=Domain,DC=com 
Source directory service: 
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Headoffice,CN=Sites,CN=Configuration,DC=Domain,DC=com 
Source directory service address: 
k826e336-99a7-4g2d-bdab-113db2a0f5f6._msdcs.domain.com 
Intersite transport (if any): 
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Domain,DC=com
 
This directory service will be unable to replicate with the source directory service until this problem is corrected. 
 
User Action 
Verify if the source directory service is accessible or network connectivity is available. 
 
Additional Data 
Error value: 
1722 The RPC server is unavailable.

Gpupdate Error

$
0
0

Hi,

I am getting the below error when entering GPupdate in server 2012. How to address the below issue.

provide me the step by step troubleshooting.

Computer policy could not be updated successfully. The following errors were enc
countered:

The processing of Group Policy failed. Windows could not resolve the computer na
me. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain co
ntroller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \\at.com\sysvol\at.com\Policies\{12B347vA-366A-422
9-AA4B-9B858242B3AB}\gpt.ini from a domain controller and was not successful. Gr
oup Policy settings may not be applied until this event is resolved. This issue
may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

 

Cross Forest Trust and User Traffic

$
0
0

Hi,

  We are trying to integrate with another AD environment.  We need to access Data from this new Domain.

We are creating the One way Trust. So do we need a RODC setup in new domain?

As 

  


Audit account logon events not working on Domain Controllers

$
0
0

Hello,
it seems to me that we have some issues with domain controller login validation. Therefor I wanted to check in Event Security Log for Logon/Logoff events. I soon had to figure otu this isn't as trivial as it sounds when one sticks for native auditing. First of all auditing for such events needs to be enabled by GPO.
The point is I don't manage to get any Audit Account Logon events but only Logon events even though I have enabled both policies on my default domain controller policy to audit success and failures. But whatever I do, gpupdate /force, etc. I only find Logon events like 4624 on DC and cleint pc. But I do not find any of Account Logon events, which are supposed to only be written to DC security event log. If I search for like 4768 or 4769 etc. I don't get any results? I wonder why my DCs still do not log domain user's logons?

Even a tool like Lepide won't probably help much because this probably also relies on the fact that the DC needs to log these events, right?

Is there anything else I need to pay attention at in order to geht events which are supposed to be generated by this policy setting: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy --> Auditaccount logon events, except enabling this policy and update it on computers? From what I understand from this post https://www.morgantechspace.com/2013/10/enable-active-directory-logonlogoff.html these are the related EventIDs: Audit account logon events. (4776, 4768, 4769, 4770, 4771, 4772, 4773, 4774) - I get none of them, only get logon events (4624, 4625, 4648, 4634, 4647, 4672, 4778), which is a local thing.

kind regards,

Dieter

LDAP / LDAPS - coexistence?

$
0
0

Hi,

Quite simply can a collection of domain controllers service both LDAP & LDAPS queries to various devices and applications in a domain or is it best to stay with LDAP and or setup and only use LDAPS?


DFSR SYSVOL folder not replicating

$
0
0

Hello all,

I have inherited a Server 2012 Essentials environment at a customer's, and I am currently trying to migrate to Server 2019 Standard. From all I read it should be a normal procedure except for leaving the FSMO roles up to the last minute. I checked that sysvol replication was on DFSR and then introduced the new DC. Regular AD replication is fine (repadmin reports all DCs up to date). However, sysvol was not being replicated and I went to check deeper.

SYSVOL looks complete, junction points are good, state of DFSRMIG is "eliminated" so DFSR should be used. Now the new DC is waiting for initial sync, and the old DC shows no errors, but it seems the sysvol folder is simply not a known replicated folder on that system.

As sysvol is basically healthy, I did a backup of the files and tried the steps in this article: 

https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

It goes well up to the point where I should see event 4602 in the DFSR event log of the authoritative DC after doing the dfrsdiag pollad. Checking with
wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

on the old DC (of course after reverting the ADSI changes) I get "No instance(s) available". I found that this problem can occur when the DFSR database is corrupt after disk problems, but neither have I found any indication of this (there should be a warning 2213 or such in the event logs, but there isn't) nor am I able to "ResumeReplication" on any of the GUIDs I found in the DFSR config (in System Volume Information). I tried the folder GUID, the replication group GUID as well as the volume GUID, but each attempt only reports "no instances available".

Further checking the DFSR config files is seems as though the Replication group is known, I can also see it in the DFSR console. Running a health report there I get the message which basically says the same as "no instances available", namely that the folder is not in a replicated state on the original DC.

Now I am faced with a decision to either try to repair the state of the original DC or (without being sure this is possible) force the new DC to just skip initial sync and let me seed the sysvol manually. So I have two questions and I really hope anyone can help me out here.

1. Is there any obvious solution I am missing in my attempt to repair the DFSR on the old DC?

2. Can I force the new DC to skip initial sync by making it authoritative? Then just copy the sysvol contents where they belong? Has anyone tried this on a completely new DC? I am wondering about the implications here and how to go about sharing the SYSVOL and NETLOGON as those are not shared right now, of course.

Thanks everyone in advance!

Claudia

KDC reports inconsistent supported encryption types after AS-REQ

$
0
0

Hi,

we are running vSphere 6.5 (VSCA) with Likewise Open as backend for SSO. What we observe is, that some users can log in, some users cannot.

This goes back to the fact, that the contacted domain controllers (Server 2008 R2; functional level: Server 2016) report back a different set of supported encryption types (AES256 and RC4-HMAC vs. RC4-HMAC only) after AS-REQ for certain users reproducibly, although the attributes "msDS-SupportedEncryptionTypes" and "userAccountControl" are completely identical for all users. Same applies to the content of the AS-REQs themselves.

While modifying VSCA to handle this case properly is not recommended, we would rather like to fix the root cause leading to this behaviour as other applications might also be affected in future.

So, what could be the reason?

Thank you for any hint.

Unjoined PCs Not Removed From AD

$
0
0

I just noticed that machines we recently un-joined from the domain still show up in our 2012R2 AD.

The icons do have a down arrow next to them which indicates that the computer accounts are inactive but I have never noticed this before.

Is this by design - delay pending a purge - or do I have a misconfiguration somewhere?

Thanks >> Joe

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>