Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

adprep /forestprep fails with constraint violation

April 28, 2020, 10:48 am
$
0
0
Dear all,


i am running into a problem while preparing for update to add Windows 2016 Servers as domain controllers.


The AD is verified, Schema Version is at 69 and everything looks fine, then this happens


<-- snip -->


Current Schema Version is 69


Upgrading schema to version 88


Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch70.ldf"
Loading entries......
5 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch71.ldf"
Loading entries........
12 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch72.ldf"
Loading entries......
17 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch73.ldf"
Loading entries......
22 entries modified successfully.

The command has completed successfully
Verifying file signature
Connecting to "ad01.domain.com"
Logging in as "DOMAINADMIN" in domain "domain.com" using SSPI
Importing directory from file "D:\support\adprep\sch74.ldf"
Loading entries.
Add error on entry starting on line 1: Constraint Violation
The server side error is: 0x2082 A value for the attribute was not in the acceptable range of values.
The extended server error is:
00002082: AtrErr: DSID-03151817, #2:
       0: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20022 (rangeLower):len 4
       1: 00002082: DSID-03151817, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20023 (rangeUpper):len 4

22 entries modified successfully.
An error has occurred in the program
ERROR: Import from file D:\support\adprep\sch74.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20200428193051\ldif.err.74.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with t


Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20200428193051 directory for detailed information.


Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20200428193051 directory for more information.


<-- snip -->


can someone point me to the right direction with this issue


cheers

soeren
Search

AD servers RDP issue

April 23, 2020, 2:40 pm
$
0
0

Hi, 

i have installed AD server and its sitting behind the NSX edge firewall, when i have enabled the firewall i am not able to access it:

its show as internal error occurred 

if i disable the firewall i can access the server.

i can telen the 3389 ( if  firewall is enabled)

i can ping the server ( if firewall is enabled)

but i cant access the box 

Jumpbox >> Edge firewall >> Active Dir servers

please help me to fix this issue 

Nagesh

Dcdiag failed test VerifyReferences (Windows 2008 R2 Enterprise)

April 28, 2020, 2:31 pm
$
0
0

Hi All,

I have gone through Knowledge Base Article: Q312862 and it did not resolve the issue, any input or suggestions is welcomed!

My goal here is trying to safely upgrade our domain controller to 2012 R2, if we can safely ignore this error then that's good enough for me.

TIA,

Ron

Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=ALPHA1,OU=NO_WSUS,OU=Domain Controllers,DC=rpmcsi,DC=com and

         backlink on

         CN=ALPHA1,CN=Servers,CN=SBC-Co-location,CN=Sites,CN=Configuration,DC=rpmcsi,DC=com

         are correct. 
         The system object reference (serverReferenceBL)

         CN=ALPHA1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=rpmcsi,DC=com

         and backlink on

         CN=NTDS Settings,CN=ALPHA1,CN=Servers,CN=SBC-Co-location,CN=Sites,CN=Configuration,DC=rpmcsi,DC=com

         are correct. 
         Some objects relating to the DC ALPHA1 have problems: 
            [1] Problem: Missing Expected Value

             Base Object:

            CN=ALPHA1,OU=NO_WSUS,OU=Domain Controllers,DC=rpmcsi,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... ALPHA1 failed test VerifyReferences

ADUC Error

April 28, 2020, 6:08 pm
$
0
0

Hi,

We are frequently having problem opening ADUC in our Windows 2012 Data Center Primary Domain Controller and getting the below error. The only way we can get it back is after restarting the server. The second DC is working fine which is Windows 2012 Std R2.

Any solution to this problem? We tried many things for troubleshooting but nothing worked.

Active Directory Topology

April 25, 2020, 1:29 pm
$
0
0

Hello Team , 

Hope you all are safe !!!

I have joined new organisation ,from day 1 i am doing work from home 

I am asked to draw existing AD topology Diagram.

I am aware of command to check DC 

Ask 

What  other components expected in general AD Topology diagram? 

Which all commands to use in such situation ?

Any help will be highly appreciated 

active directory change IP address

April 10, 2020, 1:34 pm
$
0
0

hello team , 

currently we have two domain controller  one 2008R2 ( Primary) and 2012(secondary ) and we are planning to migrate the the 2008R2 domain controller to 2012 , this primary domain has some applications that depend on it as IP address . how can we migrate this domain to new server and keep the same ip ?

appreciate your advice on such issue 

Delegate permission to create keytab file

April 17, 2020, 4:52 am
$
0
0

hello All,

we have an service account, is there a way to delegate this service account to create keytab file at OU level.

Please let us know if there is any such option available.

regards

Aamir 

NA

Delegate permission to modify UPN

April 20, 2020, 9:36 am
$
0
0

Hello all

Please let us know how to delegate permission for User to modify UPN for user object in an OU.

regards

Aamir

NA

Search

Limit users who query AD ldap

April 24, 2020, 3:35 am
$
0
0

Hi,

How do I prevent ordinary users from querying ldap? We have an application which we had one account used for application to connect to AD Ldap. What we have noticed is that ordinary users can do query against ldap. Can we apply delegation so that ordinary users cannot do query? If so, what would be the permissions? If ever we apply these permissions will it prevent them from logging in to the domain controller or use some other services?

Thanks,

Janus

How to find out which users are going to be disabled and how to send out a request for approval to extend to manager?

April 21, 2020, 2:49 pm
$
0
0

I'm new to this, so bare with me please... 

We have contractors that have access to well everything until their contract ends. What I need to do is a bullet list of things, and if I can find a way to do it, it would be greatly appreciated. 

  1. Search for users that are going to lose access within two weeks. 
  2. Send a request to reporting manager asking if user contract to be extended. 
  3. Send manager response to an email address which will be checked by us. 

Is this possible using the Active Directory Admin Center? 


Forest recovery

April 29, 2020, 2:09 am
$
0
0

Hello team

we are upgrading DFL to 2012 r2 from 2003 

and if then we have roll back, the only option is Forest Recovery

Can you anyone advise which method is the best way

1) system state restore

2) baremetal backup restore

we have 4 DC in Parent Domain and 21 DC in child Domain

which will be more quick

and we have Manufacturing Unit and hence cannot without confirmation

any other suggestion is also welcome

Please advise

regards

Aamir Masthan

NA

Domain controller restore after ransomware attacks

April 26, 2020, 9:35 pm
$
0
0

Hi,

I have 30 DC deployed on multiple geographical region. If in case ransomware attacked my domain controller. I will switch of my DC immediately to avoid major outage.

Can I follow the below solution to overcome the situation.

I am taking full server backup for 5 different domain controller. I can take any one backup to restore.

If I am restoring the full backup on newly build server does my client and application,certificate authority works as expected.

Service accounts questions

April 26, 2020, 5:33 pm
$
0
0

If you have to create a service account that has to be part of domain admins group that would need to be create for a piece of software to audit servers and DCs but not need to log into the servers locally or remotely or even run stuff as scheduled tasks.


Is it best practice to deny these accounts to log onto any system locally, RDP and deny the log logon as a batch job as well? Any other good security practices that we should take for this?

Getting Error into DFS Replication Log

April 24, 2020, 2:21 pm
$
0
0

We have 4 domain controllers. 3 domain controllers OS is 2008 R2 and one domain controller OS is 2012 R2. The forest and Domain Functional level is 2008R2. As we want to migrate our DC from 2008R2 to 2019 DC, we need to migrate SYSVOL Replication mode from FSR to DFS-R.

After Completing the migration FSR to DFS-R into that DC which OS is 2012 R2, we are geting error into our DFS Replication log into one of our four domain controllers. Error details are given below,

 

The description for Event ID 4004 from source DFSR cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

F0DDB884-0B78-4D32-898D-F4FAB7C0B63C

D:\Windows\SYSVOL_DFSR\domain
997
Overlapped I/O operation is in progress.
SYSVOL Share
Domain System Volume
4CE740A8-6B11-43A4-93BA-BCE19A1D23E7
B29A715B-CC2B-4DCA-B1FB-909BEA90A013

Also be informed, when we run command net share, it doesn't return SYSVOL or SYSVOL_dfsr folder.

When we check manually into directory, there are available both folders(SYSVOL & SYSVOL_dfsr) which is not expected. It should be available only SYSVOL_dfsr folder.


Thanks & Regards, Al Amran Technology Specialist Cell: +8801755606024 Tech One Global (Pvt.) Limited House : 10/A , 3rd floor , Road : 4 ,Gulshan Avenue 01, Dhaka-1212, Bangladesh

AD Site and Services

April 29, 2020, 6:07 am
$
0
0

Moving to new forest-domain and setting up Sites and Services. Wondering if I need to create a site for each school. The topology is hub and spoke and no site with have a DC. All DC's will be at host site with a 10gb link. I have added subnets of each school, vlans at each school all using the first site link which will be renamed to host site. I don't see the need to create sites since there will be no severs located there.

Thanks in advance for any info or clarification. 

Search

ADUC, Right-Click, Context Menu

April 29, 2020, 11:51 am
$
0
0
Is there a way to add a menu item with sub-menu items on the, right-click, context menu of a user object in Active Directory.
I want to add a few menu items to the context menu, but I'd rather not lengthen the menu with 4 additional menu items if I can create a menu item, with sub-menu's.

Using GMSA Account for LDAP Bind/Search in Java Application

April 29, 2020, 1:28 pm
$
0
0

This questions is related to : Group Managed Service Accounts

Use Case:

We have customers who have configured GMSA Account for running services and connecting to SQL Sever, We also have a Java Based Authentication Facade that connects to Active Directory to Search User/Authenticate Users.

Customer requesting that we use GMSA Account to do LDAP Bind when connecting and searching for users in Active Directory instead of currently provisioned Service Account and Password to do LDAP Bind. 

Question/Assistance/Help:

Can GMSA Account be used in Java Application? i.e can we use GMSA Account to do a LDAP Bind a Search from Java.

 

I tried a C# utility which requests GMSA password however our Java Bind does not work with the GMSA Account and Retrieved GMSA Password.

 

We used steps similar to pointed out in dsinternals.com  - retrieving-cleartext-gmsa-passwords-from-active-directory to get GMSA Password.

A test C# program can retrieve GMSA Password and can bind to LDAP and Search Users using GMSA Account and GMSA Password - All running on the same machine which is permissioned to retrieve GMSA Password as per GMSA requirements.

However using same GMSA Account and Retrieved GMSA Password does not work with Java - Simple Bind and also Bind via Kerberos GSSAPI


Again running on the same machine which is permissioned to retrieve GMSA Password.

We get the following error:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]

Indicating credential is invalid

Any pointers much appreciated - Thank you.


Account Lockout Policy

April 27, 2020, 11:24 am
$
0
0

Current settings :-

Account Lockout Duration - 0 minutes
Account Lockout Threshold - 5 invalid login attempts
Reset account lockout counter after - 60 minutes

I understand with above settings the user will never get unlocked automatically but admins will have to unlock the account.

I'm just confused with the below statement from Reset account lockout counter after settings:-

"If Account lockout threshold is set to a number greater than zero, thisreset time must be less than or equal to the value of Account lockout duration"

As you see the reset time(60 minutes) in my settings is not less that or equal to the value of account lockout duration(0 minutes).Is that wrong or what will be the impact ?

Thanks



How simultaneity work on-premises Active Directory and Hybrid Azure AD Authentication framework for the endpoint ( Workstation login) ?

April 27, 2020, 2:20 pm
$
0
0

Hello,

I need information if Is it possible to work simultaneity on-premises Active Directory and Hybrid Azure AD Authentication framework for the endpoint ( Workstation login) ?

What are the Authentication framework for the endpoint will work e.g. Hybrid AD with Azure AD with Duo / MFA  ? 

My requirement is to achieve , When System/Laptop is trying to login for corporate network then it should use local AD DC authentication while when same device try to login from outside network then it should authenticate with hybrid Azure AD. + MFA.


Domain controller back to online after a month of data center maintenance

April 27, 2020, 9:40 pm
$
0
0

Hi,

I have a small data center due to building maintenance I power off the domain controller for 40 days.

After 40 days, I am going to bring the domain controller online. let me know what type of validation is required to be performed.

We have additional DC for authentication in other data center so there is no authentication failure at the moment.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>