Hi,

I started

esentutl /p ntds.dit

and get error:

Unable to find the callback library ntdsai.dll

Operation terminated with error -2102 (JET_errCallbackNotResolved, A callback function could not be found)

What i do wrong?

Thanks.

Hi Support,

When run the BPA in the Windows 2016 DC, we found one of the DC have many error as below: 

  Issue:
  The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about the hostname DNS A/AAAA records from the DNS servers.

  Impact:
  The AD DS BPA will not be able to validate configuration data about the hostname DNS A/AAAA records.

  Resolution:
  Troubleshoot the DNS servers to determine the root cause of the problem.

When check the DirectoryServices_EngineReport, it have this error:
                          <HostNameDnsRecord>
                                            <Error>
                                              <Report>true</Report>
                                              <DataItem>the hostname DNS A/AAAA records</DataItem>
                                              <Computer>the DNS servers</Computer>
                                              <Message>This element requires a valid Server Hostname</Message>
                                              <FullyQualifiedErrorId>This element requires a valid Server Hostname</FullyQualifiedErrorId>
                                              <Exception>
                                                <Type>System.ArgumentException</Type>
                                                <Message>This element requires a valid Server Hostname</Message>
                                                <InnerException>
                                                  <Type>Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException</Type>
                                                  <Message>Cannot find directory server with identity: 'Server$'.</Message>

I checked DNS have the server record. Try to use ntdsutil and the server can be found. The replication on all DC is healthly.

Any idea?

Best Regards

Chong

Hi,

I was trying to migrate my old WIndows Server 2008 32 bit OS to new OS Windows Server 2019, but apparently it was not possible.

My exchange server 2007 was my copy of my old domain controller still intact but unable to connect to my newly renamed DC server.

My existing Active directory server was roles for the below.

1. CA server
2. Active directory domain services
3. Network policy server
4. Web Server
5. File Server
6. DNS Server

For the migration, below were the steps i did

1. Add 2 domain controller to the existing active directory pool for replication and failover (one windows Server 2012, one is Windows Server 2019 to migrate - during the migration stage, im getting a lot of DNS issue, but i kept persist it and it worked (tried many times of ipconfig /flushdns & ipconfig /registerdns, took a few tries)
2. Successfully added 2 domain controller into the pool and replicated (but the DNS server needed to be manually replicated)
3. Backup CA cert, policies & SYSVOL folder, Did DC Promo.exe the old server, remove CA server then proceeded with the removal of DC server, then change the IP address and domain name of the server

Replication status of the server at that time unknown. I proceeded with the switchover, initially there was already error, but didn't know where to start. I started changing one of the server back to the old server name & IP address, the second server which was added to the DC pool was demoted, and this is where all hell broke loose. The problems became nightmare for me

In my attempt to get the 1st DC server which I replicated, below were the errors found.

C:\Users\pcsb002pg>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = adserver
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Fatal Error:DsGetDcName (ADSERVER2) call failed, error 1722
         The Locator could not find the server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         The event log DFS Replication on server ADServer2.pcsb.local could not
         be queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test SysVolCheck
      Starting test: KccEvent
         The event log Directory Service on server ADServer2.pcsb.local could
         not be queried, error 0x721"A security package specific error occurred."
         ......................... ADSERVER2 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [ADSERVER2]:failed with 64:
         The specified network name is no longer available.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:03.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=DomainDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:06.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:28:45.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:34:34.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:35:25.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
         Could not open Remote ipc to [ADServer2.pcsb.local]: error 0x40"The specified network name is no longer available."
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         The event log System on server ADServer2.pcsb.local could not be
         queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : pcsb
      Starting test: CheckSDRefDom
         ......................... pcsb passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... pcsb passed test CrossRefValidation

   Running enterprise tests on : pcsb.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1722
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
         A KDC could not be located - All the KDCs are down.
         ......................... pcsb.local failed test LocatorCheck
      Starting test: Intersite
         ......................... pcsb.local passed test Intersite

C:\Users\pcsb002pg>

The above is my DCdiag diagnostics.

I also noticed my DNS is quite screwed.

I'm so stuck and don't know what to do and where to start. My whole office is gonna come after me tomorrow.

I have roughly 25 staffs i the office, with exchange server & some other applications such as firewall, Lyncserver & network drivers require active directory to connect.

Please help me. 

HI,

We want to go ahad with new LDAP Signing and Channel Binding Changes in Active Directory

we have installed the March updates on both our server 2012 R2 DC and server 2016 member servers and set the

DC policy

Domain controller: LDAP server channel binding token requirements = Always

Domain controller: LDAP server signing requirements = Require singing

On member servers:

Network security: LDAP client signing requirements  = Require singing

Also set the registry on DC to highest:

Internal event: An LDAP client connection was closed because of an error. 

Client IP:
10.0.10.11:50039 

Additional Data 
Error value:
1236 The network connection was aborted by the local system. 
Internal ID:
c060410

Shahin

Can someoe help my to understand the march 2020 update,

If I understood it correctly the march 2020 update has soething to do with LDAP channel binding and LDAP signing and has nothing to do with LDAPS and march 2020 updates will help us to findout which devices sending unsecure LDAP requests to the DC's and with dont have to setup and certificate on our DC's

Is this correct?

Shahin

Hai,

When I try to change a network user's password using ADSI's IADsUser->ChangePassword(), the server machine where my application is running is getting rebooted.

• Error code during IADsUser->ChangePassword() = ERROR_CODE=800706ba :The RPC server is unavailable.
• RPC related services are working properly on the Domain controller. Also I haven't made changes to RPC service or ports. 

Few event logs related to the incident before the restart,

• Event ID: 5000, Error, LSA(LsaSrv) - (system log) - The security package MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 generated an exception.

• Event ID: 1074, Info, User32(source) - (system log) - The process winint.exe has initiated the restart of computer on behalf of user for the following reason. Reason code : 0x50006, Comment: The System process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. 

• Event ID: 1000, Error - (application log) - Faulty application name: lsass.exe(c:\Windows\system32\), version: 6.2.9200.20521; Faulty module name : msv1_0.DLL(c:\Windows\system32\), version: 6.2.9200.22978; Exception code: 0xc0000005

The log message are obtained when trying this in a Windows Server 2012 machine.

Any help would be appreciated as it seems a critical issue due to the reboot of the server machine.

Hi All

In my company we have three domains. Each domain having around 2000 users. Recently we made a Git server for our organisation and users from all domains needed to work on this Git server. In order to achieve this we made an LDAP server to authenticate all users from all three domains. This we configured with the help of the role ADLDS. We made an automated task to import users to this LDAP server from all three domains. And the configuration file will convert all user objects to user-proxy objects. Whenever a user try to authenticate to LDAP server, the server will receive the authentication and forward the same to concerned domain with the help of SID anduserprincipalname. You guys might be aware of this configuration.

Everything was working without any issues. But recently we found an issue that thesourceobjectguid attribute which is getting imported from the domain to LDAP server is showing some special characters instead of actual values. This is the prime attribute which is working behind the authentication. This is happening in few user accounts. Because of this, these users are not able to authenticate through LDAP server.

Requesting your help.

Attaching the screenshot for reference.



Shanif Salim

The following links were used as references for configuring NDES on Windows Server 2016 core:

  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831498(v%3Dws.11)
  https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx

The issuing CA is an enterprise intermediate/subordinate CA.  NDES is installed on a separate server using a service account (domain user, not gMSA).  The default password behavior is configured (required, max 5, expiring after an hour).  A custom certificate template has been created for devices, added as a template to issue on the CA, and configured on the NDES server.  Appropriate permissions have been set on the template and the CA for requesting and enrolling.

The mscep_admin page shows a password.  However, requests from devices fail.  The Application event log shows the following:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-NetworkDeviceEnrollmentService" Guid="{73144342-19D1-47A4-94DE-D38E6A054AD5}" /><EventID>29</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2020-03-04T15:12:17.367859700Z" /><EventRecordID>1647</EventRecordID><Correlation /><Execution ProcessID="3732" ThreadID="3768" /><Channel>Application</Channel><Computer>NDES-Comp-Name.foo.bar</Computer><Security UserID="S-1-5-21-701053380-3347107659-2942889231-2638" /></System><EventData Name="EVENT_MSCEP_INVALID_PASSWORD" /></Event>

The mscep.log file shows the following:

  402.478.948: Begin: 3/4/2020 7:03 AM 24.845s
  402.483.0: w3wp.exe
  402.491.0: GMT - 8.00
  2901.1286.0:<2020/3/4, 7:03:24>: 0x80004005 (-2147467259 E_FAIL)
  2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): B96FCFEE D3EC2220 8077AF3F C2C46A2A 22BFBB57
  2905.923.0:<2020/3/4, 7:03:24>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 70553F1F 27D5F499 4493B530 038929AC 4A4AD191
  2905.947.0:<2020/3/4, 7:03:24>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2905.1055.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
  2905.1497.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:6d7e33f8e4a8fdd64f381815c18e8af0fe6fa144
  2905.923.0:<2020/3/4, 7:03:25>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 4ED75197 6054E100 DAE442EC 35A46969 120EA1EF
  2905.947.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=Issuing-CA-Name, DC=foo, DC=bar:1a25a5e55b879c18334c1ca24bb1b5f043d18dc6
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2905.1062.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
  2905.1534.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0): CN=NDES-Request-Agent-Name, C=US:43c449746084d661e5345753dda96b2d7f53ee62
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  419.5431.0:<2020/3/4, 7:03:25>: 0x0 (WIN32: 0)
  2906.1405.0:<2020/3/4, 7:03:57>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
  2902.419.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.4738.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.3690.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5284.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5823.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.5799.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.1864.0:<2020/3/4, 7:03:57>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION)
  2905.1865.0:<2020/3/4, 7:03:57>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND)
  2905.1866.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
  2905.1867.0:<2020/3/4, 7:03:57>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
  2905.2006.0:<2020/3/4, 7:03:57>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

Various sources recommend enabling the CAPI2 log.  However, that does not show any warnings or errors related to the attempt.  Are there any other logs worth examining?

Guys...

I am at a loss here. Googled and Binged all day and have ZIP.

I have two forests each with one domain. I established a two way forest trust and can ACL objects and log in with username and password. The issue is I need to be able to log in with a PIV card. So... I need to log into forest A with my PIV and have it also provide me access to all the resources of forest B. I have no idea where to even start.

Suggestions? Someone point me in the right direction?

Hi, I need to create a distribution List within our AD but with restricting who can send email to this list. How can I do this without having Exchange on premise.

i try to modify following settings but get error

• AuthOrig
• dLMemberRule
  DlMemDefault
  dLMemRejectPerms
  dLMemSubmitPerms
  
  
  There is no editor registred to handle this attribute type

Hi,

I built a server 2019 domain controller. I successfully promoted the server to domain controller. I also built a windows 10 computer to use as a workstation. 

When I try to join the windows 10 computer to the domain I get error :

"An Active Directory Domain controller (AD DC) for the domain "domain" could not be contacted."

DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain "domain":

The query was fo SRV record _ldap._tcp.dc._msdcs.domain.com

The following domain controllers were identified by the query:

(no Active Directory Domain Controllers found)

However no domain controllers could be contacted.

Please advice I am trying to build a lap on my laptop and I am using public wifi for connection.

Thanks,

Senait

Dear Folks,

I have hosted server with public IP, I have installed ADDS and role on it, right I'm unable to join client to that domain becuase the my server ip is public so can you guide me how can resolve this issue for joining my client from outside network.

Thanks

We are a North American company with head office in China (China office already a different forest and domain). However, we want to extend the North American domain and Active Directory into China. The employees of China office will be using ~80% of the services currently utilized globally. This includes all the SSO, Exchange, same O365 Tenant, etc.

There have been some concerns raised about replicating non-Chinese employee's AD data (and other regulatory considerations like GDPR) through the Great Firewall of China. The new cybersecurity laws in China allow PKI and AD traffic encryption but not without the ability for the government to have access to this information.

I am wondering what have other companies in North America and Europe done to overcome this challenge? 

We chatted shortly about a stand alone forest with a trust but this may or may not be the best solution.

Hello,

Can someone please help with the following

If I have an App/WEB site etc. on a standalone Linux host (Kerberos aware), e.g. no realm trusts of any kind

Then I have an Active Directory domain with my Users and I create a KeyTab file on Windows using KTPass with the relevant information, SPNs of Linux Service and AD user this information is to be associate with (to request a service ticket) 

I then take the KeyTab file and import/setup on the Linux host

Do I also need to join the Linux Host to Active Directory (using SSSD or Centrify for example) in order to the KeyTab file to work?

I would be very grateful for any help on this please

Thanks

CXMelga

Hi,

Is it possible to integrate newly installed Active Directory Domain Services to an existing DNS (on-premise) standard? If yes what would be the pre-requisites and steps to do?

Thank you!!