Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

How do I remove an orphaned user name in the Exchange 2010 GAL?

$
0
0

In Exchange 5.5, users were added and deleted from the domain via Active Directory Users and Computers in a child domain.

The server was replaced and accounts migrated to Exchange 2003.

The two of the long since deleted accounts remained.  In Exchange 2003/Windows 2003, the users do not appear in any UI EXCEPT in the Global Address List (GAL).

We have since upgraded that server to Windows 2008 R2 and Exchange 2010.  The two orphaned users persist.

If we try to recreate a user with the same alias as the long since gone one, it says the user already exists.  However, we can't see it to remove it form Active Directory.

In Exchange 2010, I can see the two rogue users mailboxes in the Exchange Management Console.  The odd part is on the child domain, I don't see them. However, in the parent domain, I see the users and the OU calls out the child domain as the location of the user.

When I try to remove the account via Exchange 2010, I get the message:

Error:
The operation couldn't be performed because the object 'child2.domain.com/Users/user name CNF:1ee0a40e-bc50-417f-b2ce-ba00dd62f786' couldn't be found on 'dc.domain.com'.

How do I locate and remove these two users short of rebuilding the domain from scratch?  Obviously, THAT is not going to happen. LOL

Thanks in advance.


Jim.


Password reset latency - Single forest, multiple sites.

$
0
0

Hi,

I have the following situation :

1 Windows Server 2008 R2 forest with 3 sites (A,B and C).  The PDC emulator for the forest is located in Site B.

A password reset for UserA is being performed in Site A.  UserA then tries to login to Site C but fails authentication with the new password (the old password works).

UserA is able to login to SiteB with the new password fine straight away.  UserA is able to login to siteC with the new password after about 10 minutes.

I don't see why the authentication is failing in SiteC ?  I thought 'PDC Chaining' would query the PDC emulator in the forest for any password changes etc ?

http://www.frickelsoft.net/blog/?p=199

Thanks

Bill

How to Find the Lingering Objects From the Windows Server 2003

$
0
0

Hi There,

In our environment we have a DC and ADC. In which we were facing frequent network related issue. So that we have checked the event logs and observed there is some replication issue. While we manually replicate the connection, from the DC to ADC its replicating . But while we manually replicate from the ADC to DC , its giving the error stating that its Crossed the Tombstone Lifetime. 

I have checked the forums and got an idea that i need to remove the Lingering Objects. But i don't know how to check which of my server is having the latest updates and which server is having the old updates. Also please guide me how to find the lingering objects available on the DC's


-$aran-

child domain i can't join pc or domain controller can't create cluster access denied

$
0
0

child domain i can't join pc or domain controller can't create cluster access denied

domain and forest level 2008r2

child domain level 2008r2

all dc 2008r2 

and 1 rodc 2012

i can join pc only using djoin!!

changing IP address on domain controller

$
0
0

I've read several posts on changing IP addresses on DCs within the same subnet but just want to make sure I'm on the right page. We have three DCs (2 in our 192.168.0.x office and 1 in our 192.168.1.x address) and are moving our DC with all of the FSMO roles from our 192.168.0.x office to our 192.168.1.x office which can both see each other through the VPN.

Based on my reading it sounds like all I need  to do is change  the DC from 192.168.0.x. to 192.168.1.x then shut it down, move it to the other office, bring it back online and change DNS entries as necessary. Once complete I use Active Directory Sites and Services to make sure the DCs can replicate connections. Sound right?

highestCommittedUSN attribute at rootDSE

$
0
0

I want to know attribute highestCommittedUSN under rootDSE is same as the highest value of attribute USNChanged?

Because it is telling committed on Directory replication, what this means?

2way trusts to 2 different domains which use the same subnet

$
0
0

scenario:

company A use 172.16 address range

company B use 172.16 address range

company C who use 172.24 address range would like to put in 2 separate trusts across to company A and B

company A and B will NOT have a direct trust between them.

will this work? are there DNS complications, will the fact that the 2 companies use the same range affect company C (and employees in C) being able to access resources and applications on A and B?

Thanks

Repercussions when removing Enterprise Admins

$
0
0

I find in the articles on this forum that it is not recommended to remove Enterprise Admins from a Child Domain.

Has anyone removed this group from their  Child domain, and could you tell me if any issues arose from this?..

thanks

Sidney


The group policy client service failed the logon error; access is denied, after roaming profile move accross forests to new domain

$
0
0

 

Attempting 100 users profile folder migration from one domain to another (different forest, two way external trust setup) and getting error when attempt to log in with a test account that I have migrated and copied user profile folder over.

Error :  The group policy client service failed the logon error;  access is denied.

Old environment:

Users connect only via RDS. User profiles are roaming.  Profiles
are stored on a share on the old domain RDS servers are on old domain.

new environment

Users connect only via RDS. User profiles are roaming.  Profiles
are stored on a share on the new domain RDS servers are on new domain.

Used AD migration tool to copy over user ids and groups.

did not use SID migration as dont have auditing set up in the old domain.

user roaming profiles load / work ok in both the old and new domain when using new

accounts in both domains. thus permissions and gpo are set ok.

roaming profiles are working fine in the old domain.

Only issues is after trying to copy the profiles to the new domain.

Copied over user folders to new share on new server in new domain.

Used

xcopy /d /e /v /c /i /h /r /k /x /y \\old_share\Shares\Profiles\\new_share\Shares\Profiles

changed the permission to the folders with subinacl /noverbose /subdirec "\\new_share\Shares\*.*" /changedomain=old=new

renamed the user folders in the new location so that userid.olddomain.v2  is now correct ; userid.NEWdomain.v2

user profile location is set via AD GPO .

checked all permissions to  \\new_share\Shares\Profiles and they are appear correct

no errors in event logs. 

if i delete the \\new_share\Shares\Profiles\userid folder I can log in ok and get roaming profile created ok with userid. 

Thus i suspect a permissions issue after the folder copy.

not sure where to go here.

all servers are 2008 r2. 

domain controllers in old domain are running at functional level of windows 2000
in new domain running at functional level of windows 2008

I renamed the ntuser.pol and ntuser.dat .
no help. they got recreated ok but couldnt connect still.

Server in WRONG site even though shows up correctly in AD Sites and Services

$
0
0

I checked the AD Sites and Services and the server is in the correct site.  I checked the subnet and it is associated w/ the correct site.  I checked AD Users and Computers and the server is in thecorrect OU.  DNS records for server seem to be correct and are in in proper reverse lookup zone.  When I run nltest /server:HostName /DsGetSite the result shows the server is associated w/ thewrong site.  When I ran a DFSR health check it also showed the server in thewrong site.

Is there a way to set this in ADSIedit or can I force an update on the server?  Any help would be appreciated.

Thanks.

changing MaxpPage size...using ntdsutil

$
0
0

hello. thanks for the time and effort.

It has come to our attention that when an application is doing an LDAP query results are  no longer being seen.  We found out that the query was requesting a group that had over 1000 members.  After some research we found that the MaxPage size is 1000.  The developers are asking us to change the value to a higher number.  However after some more research most folks are saying to leave it as is...1000...which is the default for a windows 2008r2 domain controller.  The issue I have read about is that it can cause an overload on the server if changed.  The suggestion is we only change it to 2500.  Will this pose a risk to the server? infrastructure? The reason being is otherwise it will require more development work and time to get around the default value of 1000.

http://support.microsoft.com/kb/315071

http://support.microsoft.com/kb/2009267

and this one that says it should not be changed...

http://jeftek.com/219/avoid-changing-the-maxpagesize-ldap-query-policy/

thoughts? comments?

CreateXMLFromEnvironment.wsf can create Contact object of production environment ?

$
0
0

I am thinking of using CreateXMLFromEnvironment.wsf to create Test AD Environment.

CreateXMLFromEnvironment.wsf can also create contact object of production environment ?

http://ad.kazakinfo.com/2011/04/creating-a-test-environment/

Replication error between DC and ADC dcdiag error attached

$
0
0

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = guis02

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\GUIS02

      Starting test: Connectivity

         ......................... GUIS02 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\GUIS02

      Starting test: Advertising

         ......................... GUIS02 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... GUIS02 passed test FrsEvent

      Starting test: DFSREvent

         ......................... GUIS02 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... GUIS02 passed test SysVolCheck

      Starting test: KccEvent

         ......................... GUIS02 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [GUIS01] DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         Warning: GUIS01 is the Schema Owner, but is not responding to DS RPC

         Bind.

         Ldap search capabality attribute search failed on server GUIS01,

         return value = 81
         Warning: GUIS01 is the Schema Owner, but is not responding to LDAP

         Bind.

         Warning: GUIS01 is the Domain Owner, but is not responding to DS RPC

         Bind.

         Warning: GUIS01 is the Domain Owner, but is not responding to LDAP

         Bind.

         Warning: GUIS01 is the PDC Owner, but is not responding to DS RPC

         Bind.

         Warning: GUIS01 is the PDC Owner, but is not responding to LDAP Bind.

         Warning: GUIS01 is the Rid Owner, but is not responding to DS RPC

         Bind.

         Warning: GUIS01 is the Rid Owner, but is not responding to LDAP Bind.

         Warning: GUIS01 is the Infrastructure Update Owner, but is not

         responding to DS RPC Bind.

         Warning: GUIS01 is the Infrastructure Update Owner, but is not

         responding to LDAP Bind.

         ......................... GUIS02 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... GUIS02 passed test MachineAccount

      Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=rc25guis,DC=r25,DC=netact,DC=vodafone,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=rc25guis,DC=r25,DC=netact,DC=vodafone,DC=com
         ......................... GUIS02 failed test NCSecDesc

      Starting test: NetLogons

         ......................... GUIS02 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... GUIS02 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,GUIS02] A recent replication attempt failed:

            From GUIS01 to GUIS02

            Naming Context:

            DC=ForestDnsZones,DC=rc25guis,DC=r25,DC=netact,DC=vodafone,DC=com

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

            

            The failure occurred at 2013-05-18 00:26:00.

            The last success occurred at 2012-10-13 04:28:02.

            4583 failures have occurred since the last success.

         [Replications Check,GUIS02] A recent replication attempt failed:

            From GUIS01 to GUIS02

            Naming Context:

            DC=DomainDnsZones,DC=rc25guis,DC=r25,DC=netact,DC=vodafone,DC=com

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

            

            The failure occurred at 2013-05-18 00:26:00.

            The last success occurred at 2012-10-13 04:28:02.

            4640 failures have occurred since the last success.

         [Replications Check,GUIS02] A recent replication attempt failed:

            From GUIS01 to GUIS02

            Naming Context:

            CN=Schema,CN=Configuration,DC=rc25guis,DC=r25,DC=netact,DC=vodafone,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2013-05-18 00:26:00.

            The last success occurred at 2012-10-13 04:28:02.

            4583 failures have occurred since the last success.

         [Replications Check,GUIS02] A recent replication attempt failed:

            From GUIS01 to GUIS02

            Naming Context:

            CN=Configuration,DC=rc25guis,DC=r25,DC=netact,DC=vodafone,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2013-05-18 00:35:29.

            The last success occurred at 2012-10-13 04:28:02.

            10786 failures have occurred since the last success.

         [Replications Check,GUIS02] A recent replication attempt failed:

            From GUIS01 to GUIS02

            Naming Context: DC=rc25guis,DC=r25,DC=netact,DC=vodafone,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2013-05-18 00:39:14.

            The last success occurred at 2012-10-13 04:42:07.

            60106 failures have occurred since the last success.

         ......................... GUIS02 failed test Replications

      Starting test: RidManager

         ......................... GUIS02 failed test RidManager

      Starting test: Services

         ......................... GUIS02 passed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0xC0000425

            Time Generated: 05/17/2013   23:54:10

            Event String:

            Terminal Server was unable to retrieve users Licensing information from AD. Error 2147950651!d!

         An Warning Event occurred.  EventID: 0xC9001009

            Time Generated: 05/17/2013   23:54:10

            Event String:

            The Terminal Services license server cannot update the license attributes for user "omc" in the Active Directory Domain "rc25guis.r25.netact.vodafone.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "rc25guis.r25.netact.vodafone.com".


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 05/17/2013   23:54:11

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server guis01$. The target name used was cifs/guis01.rc25guis.r25.netact.vodafone.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RC25GUIS.R25.NETACT.VODAFONE.COM) is different from the client domain (RC25GUIS.R25.NETACT.VODAFONE.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/17/2013   23:54:28

            Event String:

            DCOM was unable to communicate with the computer GUIS01 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/17/2013   23:54:28

            Event String:

            DCOM was unable to communicate with the computer GUIS03 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/17/2013   23:54:28

            Event String:

            DCOM was unable to communicate with the computer GUIS04 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0000425

            Time Generated: 05/17/2013   23:57:22

            Event String:

            Terminal Server was unable to retrieve users Licensing information from AD. Error 2147950651!d!

         An Warning Event occurred.  EventID: 0xC9001009

            Time Generated: 05/17/2013   23:57:22

            Event String:

            The Terminal Services license server cannot update the license attributes for user "omc" in the Active Directory Domain "rc25guis.r25.netact.vodafone.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "rc25guis.r25.netact.vodafone.com".


         An Error Event occurred.  EventID: 0xC0000425

            Time Generated: 05/17/2013   23:58:18

            Event String:

            Terminal Server was unable to retrieve users Licensing information from AD. Error 2147950651!d!

         An Warning Event occurred.  EventID: 0xC9001009

            Time Generated: 05/17/2013   23:58:18

            Event String:

            The Terminal Services license server cannot update the license attributes for user "omc" in the Active Directory Domain "rc25guis.r25.netact.vodafone.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "rc25guis.r25.netact.vodafone.com".


         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/17/2013   23:59:30

            Event String:

            DCOM was unable to communicate with the computer GUIS01 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/17/2013   23:59:30

            Event String:

            DCOM was unable to communicate with the computer GUIS03 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/17/2013   23:59:30

            Event String:

            DCOM was unable to communicate with the computer GUIS04 using any of the configured protocols.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 05/18/2013   00:14:17

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server guis01$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/a23386ee-a0ee-4725-a708-3544fb8c4037/rc25guis.r25.netact.vodafone.com@rc25guis.r25.netact.vodafone.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RC25GUIS.R25.NETACT.VODAFONE.COM) is different from the client domain (RC25GUIS.R25.NETACT.VODAFONE.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/18/2013   00:21:52

            Event String:

            DCOM was unable to communicate with the computer GUIS01 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/18/2013   00:21:52

            Event String:

            DCOM was unable to communicate with the computer GUIS03 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/18/2013   00:21:52

            Event String:

            DCOM was unable to communicate with the computer GUIS04 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0000425

            Time Generated: 05/18/2013   00:24:32

            Event String:

            Terminal Server was unable to retrieve users Licensing information from AD. Error 2147950651!d!

         An Warning Event occurred.  EventID: 0xC9001009

            Time Generated: 05/18/2013   00:24:32

            Event String:

            The Terminal Services license server cannot update the license attributes for user "administrator" in the Active Directory Domain "rc25guis.r25.netact.vodafone.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "rc25guis.r25.netact.vodafone.com".


         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/18/2013   00:25:39

            Event String:

            DCOM was unable to communicate with the computer GUIS01 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/18/2013   00:25:39

            Event String:

            DCOM was unable to communicate with the computer GUIS03 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 05/18/2013   00:25:39

            Event String:

            DCOM was unable to communicate with the computer GUIS04 using any of the configured protocols.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 05/18/2013   00:26:31

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server guis01$. The target name used was RC25GUIS\GUIS01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RC25GUIS.R25.NETACT.VODAFONE.COM) is different from the client domain (RC25GUIS.R25.NETACT.VODAFONE.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0xC0000425

            Time Generated: 05/18/2013   00:27:36

            Event String:

            Terminal Server was unable to retrieve users Licensing information from AD. Error 2147950651!d!

         An Warning Event occurred.  EventID: 0xC9001009

            Time Generated: 05/18/2013   00:27:36

            Event String:

            The Terminal Services license server cannot update the license attributes for user "teamfm" in the Active Directory Domain "rc25guis.r25.netact.vodafone.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "rc25guis.r25.netact.vodafone.com".


         An Error Event occurred.  EventID: 0xC000271E

            Time Generated: 05/18/2013   00:37:30

            Event String:

            The activation for CLSID {29D9C09B-5D2B-44B3-8AD9-0545BE9EC17E} failed because remote activations for COM+ are disabled. To enable this functionality use the Configure Your Server wizard and select the Web Application Server role.

         An Error Event occurred.  EventID: 0xC0000425

            Time Generated: 05/18/2013   00:39:05

            Event String:

            Terminal Server was unable to retrieve users Licensing information from AD. Error 2147950651!d!

         An Warning Event occurred.  EventID: 0xC9001009

            Time Generated: 05/18/2013   00:39:05

            Event String:

            The Terminal Services license server cannot update the license attributes for user "OMC" in the Active Directory Domain "rc25guis.r25.netact.vodafone.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "rc25guis.r25.netact.vodafone.com".


         ......................... GUIS02 failed test SystemLog

      Starting test: VerifyReferences

         ......................... GUIS02 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : rc25guis

      Starting test: CheckSDRefDom

         ......................... rc25guis passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... rc25guis passed test CrossRefValidation

   
   Running enterprise tests on : rc25guis.r25.netact.vodafone.com

      Starting test: LocatorCheck

         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

         A Primary Domain Controller could not be located.

         The server holding the PDC role is down.

         ......................... rc25guis.r25.netact.vodafone.com failed test

         LocatorCheck

      Starting test: Intersite

         ......................... rc25guis.r25.netact.vodafone.com passed test

         Intersite

What is the difference between Organizational Unit and Groups and container?

$
0
0
What is the difference between Organizational Unit and Groups and Container? If group policy objects can be applied to an OU, then why do we need groups for security settings?

Thanks and Regards, Radhakrishnan

LDAPS problems with one server

$
0
0

Im running out of Ideas so I thought I would post here and see what I can get.

We have a server sitting out in the DMZ that is not a member of the domain.  The server has an application on it that binds to a domain controller over 636 (LDAP over SSL).  Until last week all was well.  Then with no changes to the server, the application, the domain controller it stopped.  I truly mean nothing.  we didn't even reboot the server.  We use LDAP over SSL for everything, in most cases 389 isnt even allowed between networks.

I have tested on my client computer, other domain controllers, other member servers and workstations not in the environment.  All can still connect on 636 without issue.  I have moved the server out of the DMZ and put it in to the same network as the DC it is looking at and it fails.  It worked fine with 389.  Literaly when we connect 389 on the same network it connectes, click disconnect and immediately connect 636 and it says Server is down.  Telnet to 636 from the server and it will maintain the connection. 

Run a netmon while attempting the LDAPS connection and you see the client send a hello and the server reply with an ack and reset.  at the same time on the domain controller you get 


"An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."

disable TLS 1.0 on the client and you still get the same error.

ideas?


Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail


How to find when and who change user account in windows 2003 domain

$
0
0

Hi, Guru,

We have Windows 2003 domain network.

One user account was disabled one month ago. but I find it actives again last week. I try to find when and who re-enable the user account.

it is very hard to find the event. someone said I have to buy and use third part utility to track. does any guru can help?

I appreciate for any information!!!

thanks

George W 

ADAM Service on this Server

$
0
0

I am new to this company.  I have found a server that is running the ADAM Service and was curious on how can i determine if we are using the ADAM Service on this server.  As we are no longer using this server

how can I re-invite "net user SUPPORT_388945a0" ?

$
0
0

Hi

in one day they tell me i should delete net user SUPPORT_388945a0

but i read that i should keep it 

so now i want know how i can add SUPPORT_388945a0 to my system again ?

time sync error on RODC

$
0
0

HI all,

Need help.

Some our RODC is contineously logging event ID 142 and 139 in every min for time sync.

Replication is fine on RODC.

Thanks in advance

AD- RMS Queries

$
0
0

Hello Guys,

Few Questions regarding AD- RMS  (Kindly ignore my limited knowledge on this topic) :

A) Is it possible with ADRMS to configure security at a directory level rather than setting permissions on each document ?

B) How ADRMS works with NTFS Permissions for ex. user has full NTFS Permissions on a file (Inherited from parent) but Read only access via RMS Template.  What would be the result ?

C) Is Certificate Services a Must for AD RMS  ?

 Thanks for Help  :)

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>