Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

replay attacks

June 14, 2013, 10:19 am
$
0
0
Good afternoon,

In defining theservicetimebetween adomaincontrollerand a clientisthe statementbelow:

To prevent"replay attacks,"KerberosV5usesstampsdate / timeas part of itsprotocol definition.Forthe stampsdate / timefunction properly,the clocksof the client andthedomain controllermust besynchronizedas much as possible

I would like tobetter understandwhat exactly:

"replay attacks"and howeffectivelyit couldstick afirewall blockingfor example?
Search

Confirm Subtree Deletion....Why this??

June 14, 2013, 9:56 am
$
0
0

Hello all,

So today I tried to remove an old user out of AD 2003/2008 and for the first time I get the a message:

Confirm Subtree Deletion:

"Object username contains other objects. Are you sure you want to delete object %username% and all of the objects it contains?

If you cancel the running deletion, the objects deleted thus far will not be recovered.

WARNING: if you select Use Delete Subtree Server control check box, all objects within the subtree, including all delete-protected objects, will be deleted and the deletion cannot be canceled"

Check box: Use Delete Subree server Control

YES or No.

What is this all about? I haven't encountered this before and not recently while deleting users, old machines, etc??

Thank You in advance.

SM


Manually changing Domain and Forest Functional Level attributes on a DC that didn't replicate

June 14, 2013, 8:41 am
$
0
0

We have a single forest consisting of two domains (placeholder root and one child) and all domain controllers are either Windows Server 2008 or 2008 R2. The Domain and Forest Functional Levels were recently upgraded using the (MMC/GUI method) from Windows 2000 to Windows 2008 which went fine except for one small problem.

At the time of the upgrade, one 2008 R2 DC was isolated on the network and was only brought back today. Now it is unable to replicate with any other DC and shows the following error message:

DsReplicaSync() failed with status -2146892990 (0x80090342):

The encryption type requested is not supported by the KDC.

I have read some articles that suggest this can happen following an incorrectly replicated FFL/DFL change. This is further supported by the fact that when I run LDP on the problematic DC it reports domainFunctionality: 0 = ( WIN2000 ); and forestFunctionality: 0 = ( WIN2000 ); while every other DC in the forest reports domainFunctionality: 3 = ( WIN2008 ); and forestFunctionality: 3 = ( WIN2008 ); in other words it hasn't replicated in the FFL/DFL changes and I suspect some default encryption setting between the two functional levels is the root of the problem(?).

My question is - is it safe to use ADSIEdit on the problematic DC to manually change the relevant msds-behavior-version attributes for the forest & domain to a value of '3' to match all the other DCs? Or is there some other way to fix this? Note, I have tried stopping and restarting the Kerberos Key Distribution Center service on the problematic DC as suggested in another thread, but this hasn't made any difference. 

Many thanks in advance.


DNS Forwarders Auditing

June 13, 2013, 3:08 pm
$
0
0

Hi Experts,

I have enabled DNS forwarder auditing by following below MS KB. And Event ID 4657 is getting registered in event viewer.. But the problem is it is not showing who is edited the forwarder's 

http://support.microsoft.com/kb/324739

Registry location: "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters"


Regards, Nidhin.CK

SID Filtering Monitor

June 11, 2013, 1:13 am
$
0
0

Hi, just coming to the end of an AD domain migration from 2003 domain to 2008 R2. Currently SID filtering is disabled to allow cross-domain sid usage but I'm at the point where I want to turn this off and just wondered if there is a way to monitor what might be using it so make sure all the resources have been updated before switching SID filtering back on.

If not, does anyone know how quickly the SID filtering takes to apply if I need to urgently switch it off again if we find resources/services are not working once we enable it? or to put it another way, if we have problems once SID filtering is enabled, does it instantly start allowing SID usage once we have set it to disabled?

DC Time issue

June 14, 2013, 12:17 pm
$
0
0

Hi All i am having  problem with time sync on one dc, it is always losing time udp port is not blocked, i have noticed the previous admin set two policies which i do not want to fiddle with in case i make it more worse, can someone help in resolving the issues. Much appreciated

Error Msg 1

The system time has changed to ‎2013‎-‎06‎-‎14T16:00:33.165000000Z from ‎2013‎-‎06‎-‎14T16:00:33.305881900Z.

Then straight it comes with this error message

The time service has stopped advertising as a time source because the local clock is not synchronized

Default Domain policy

System/Windows Time Service/Time Provider
PolicySettingComment
Configure Windows NTP ClientEnabled
NtpServertime.windows.com,0x1
TypeNTP
CrossSiteSyncFlags2
ResolvePeerBackoffMinutes15
ResolvePeerBackoffMaxTimes7
SpecialPollInterval3600
EventLogFlags0

Default Domain controller policy

System/Windows Time Service/Time Providers
PolicySettingComment
Configure Windows NTP ClientEnabled
NtpServertime.windows.com,0x1
TypeNT5DS
CrossSiteSyncFlags2
ResolvePeerBackoffMinutes15
ResolvePeerBackoffMaxTimes7
SpecialPollInterval3600
EventLogFlags0

AD LDS - Search fails - Must one bind as a user who is also under the readers role?

June 14, 2013, 12:36 pm
$
0
0

Hi,

I wrote a test program to successfully bind to my LDS server.  The server acts as a proxy to AD.

However when I try to do a search I get object not found error.

None of my users is under any roles container in LDS.  All my users are in Users container directly underneath my app partition.  Do they also need to be in the Readers role?  If so, how do I get them there?

Thanks.

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
 'DC=AppPartFE,DC=com'
]; remaining name 'cn=Users,dc=AppPartFE,dc=com'
 at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
 at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
 at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
 at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
 at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
 at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
 at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
 at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
 at javax.naming.directory.InitialDirContext.search(Unknown Source)
 at Test.<init>(Test.java:70)
 at Test.main(Test.java:118)

leo

ADMT User account merge process and Linked Mailbox

June 12, 2013, 1:39 pm
$
0
0

Greetings,

We have recently completed a cross forest move of Exchange mailboxes from one domain to another as "linked mailbox".  The next phase is to provide the users with new logon IDs from new domain so my question is, what are the neccessary steps to merge their existing (source) domain accounts with the new domain user account?  I am going to be using ADMT.

During the mailbox move process it created a disabled user account for the user as expected, so if I run ADMT to merge their existing security group memberships and AD Account with the new account, what is going to happen to the disabled account from the mailbox move process? 

The source domain needs to remain available for file access till computer accounts and servers get switched over but I was curious as to what will happen during the ADMT merge process and the existing disabled user account that was created.

Any information is greatly appreciated.

Cheers

Search

Domain Trust And Distribution Groups

June 14, 2013, 2:14 pm
$
0
0
We're migrating our student email to Office365.  Our students are on a separate domain from faculty/staff.  A one way trust partnership exists so that the student domain trusts the staff domain.  My question is this, is it possible to create AD distribution groups on the staff domain from AD accounts on the student domain?  Our need is for faculty and staff to email distribution groups consisting of student email addresses and script the creation of those DG on the fly numerous times during the day.

dns cache error

April 12, 2012, 10:24 pm
$
0
0

The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.

We have done and IPconfig flush and register on client machines?

kits

windows live id problem in lumia 800

June 14, 2013, 9:59 pm
$
0
0

dear sir...

i have bought lumia 800 windows 7.8 phone.. in that i have been created windows live id also but i cant able to install an app its showing 'error windows live server at the momvent'...

in my phone i am using 2g internet connection for fix this problem i need 3g connection or wifi requred ah... i did every thing in my phone to fix this windows live id but i dint find a solusion only plz sumone help me to fix this thing.....

Windows Update patch list for directory service

June 14, 2013, 7:47 pm
$
0
0
I have a customer who would like the list of the patch list for AD, but I can't find them. Who can help me? Or do they exist on the web? Thanks a lot.

Migrate DNS, DHCP, AD

June 14, 2013, 5:21 pm
$
0
0

I'd like to ask for some advice with regards to an AD migration which will also include the migration of non-Windows DNS and DHCP.

Here is the situation:

Current AD is city.company.org.

DNS is hosted on Bind. DHCP is in Linux.

company.org and company.com are in BIND as well.

We want to migrate to a new AD infrastructure:corp.company.com while also migrating DNS and DHCP from Bind and Linux to Windows.

How should I go about this?

Setup new AD for corp.company.com and migrate DNS and DHCP, then setup ADMT between source and target and migrate?

Advice greatly appreciated.

Akash

Urgent Case for serious error after promo dc 2008 in ad 2003

June 13, 2013, 3:47 am
$
0
0

Dear All,

  I currently have 2 windows 2003 dc (p1, p2) in 2 site (HV and ST). It has a network connection between two sites. I add 1 more windows server 2008 in HV site and promoted to domain controller today. However, after promoted it came out a few serious error and warning. Please find below dcdiag log. Please kindly help to give some ideas..it is really urgent.

Many Thanks

Best Regards,

Elroy


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = PDNDC1

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\PDNDC1

      Starting test: Connectivity

         ......................... PDNDC1 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\PDNDC1

      Starting test: Advertising

         ......................... PDNDC1 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... PDNDC1 passed test FrsEvent

      Starting test: DFSREvent

         ......................... PDNDC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... PDNDC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... PDNDC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... PDNDC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... PDNDC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... PDNDC1 passed test NCSecDesc

      Starting test: NetLogons

         [PDNDC1] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... PDNDC1 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... PDNDC1 passed test ObjectsReplicated

      Starting test: Replications

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source PDNDC02

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source PDNDC02

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source PDNDC02

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source PDNDC02

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         [Replications Check,PDNDC1] DsReplicaGetInfo(PENDING_OPS, NULL)

         failed, error 0x2105 "Replication access was denied."

         ......................... PDNDC1 failed test Replications

      Starting test: RidManager

         ......................... PDNDC1 passed test RidManager

      Starting test: Services

         ......................... PDNDC1 passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 06/13/2013   17:08:14

            Event String:

            The dynamic deletion of the DNS record 'DomainDnsZones.pdn.ccms. 600 IN A 192.168.211.2' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 06/13/2013   17:08:14

            Event String:

            The dynamic deletion of the DNS record '_ldap._tcp.DomainDnsZones.pdn.ccms. 600 IN SRV 0 100 389 PDNDC1.pdn.ccms.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 06/13/2013   17:08:14

            Event String:

            The dynamic deletion of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.pdn.ccms. 600 IN SRV 0 100 389 PDNDC1.pdn.ccms.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 06/13/2013   17:08:14

            Event String:

            The dynamic deletion of the DNS record 'ForestDnsZones.pdn.ccms. 600 IN A 192.168.211.2' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 06/13/2013   17:08:14

            Event String:

            The dynamic deletion of the DNS record '_ldap._tcp.ForestDnsZones.pdn.ccms. 600 IN SRV 0 100 389 PDNDC1.pdn.ccms.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 06/13/2013   17:08:14

            Event String:

            The dynamic deletion of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pdn.ccms. 600 IN SRV 0 100 389 PDNDC1.pdn.ccms.' failed on the following DNS server:  


         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 06/13/2013   17:11:58

            Event String:

            Name resolution for the name www.msftncsi.com timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 06/13/2013   17:28:41

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x80001421

            Time Generated: 06/13/2013   17:28:57

            Event String:

            The Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group.  There may be problems in viewing and setting security permissions with the IIS_IUSRS group. This happens if the machine has been joined and promoted to be a Domain Controller in a legacy domain.  Please see the online help for more information and solutions to this problem.  The data field contains the error number.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 06/13/2013   17:29:35

            Event String:

            Name resolution for the name www.msftncsi.com timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 06/13/2013   17:31:19

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/PDNDC1.pdn.ccms; WSMAN/PDNDC1. 


         A warning event occurred.  EventID: 0x00001695

            Time Generated: 06/13/2013   17:43:48

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.pdn.ccms.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         A warning event occurred.  EventID: 0x00001695

            Time Generated: 06/13/2013   17:43:48

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.pdn.ccms.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         A warning event occurred.  EventID: 0x00001695

            Time Generated: 06/13/2013   17:43:48

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'pdn.ccms.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         ......................... PDNDC1 failed test SystemLog

      Starting test: VerifyReferences

         ......................... PDNDC1 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : pdn

      Starting test: CheckSDRefDom

         ......................... pdn passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... pdn passed test CrossRefValidation

   
   Running enterprise tests on : pdn.ccms

      Starting test: LocatorCheck

         ......................... pdn.ccms passed test LocatorCheck

      Starting test: Intersite

         ......................... pdn.ccms passed test Intersite

Missing Netlogon in windows 2003 domain controller

June 15, 2013, 9:51 am
$
0
0

Dear all,

  I meet a difficult issue of missing netlogon in windows 2003 domain controller. I have already tried those registry change which involved D2,D4 and also journal wrap error, burflag. Is there any other I can try.

Thanks

Elroy

Search

Change All User Settings in Specific OU(s) In Active Directory 2008

June 8, 2013, 11:47 am
$
0
0

I want to Change the Password of All the Users in Some OUs in active Directory 2008.

And Also i want to Change the Attributes of all users in specific OU(s).

What is Procedure?

Note:- My OUs names are in Arabic Language, I feel some errors whenever i user commands in Power Shell.

Thanks

problems dcpromo promoting RODC 2008R2

June 15, 2013, 2:31 pm
$
0
0

We have a two DC's (2008R2 & 2012). We also have 6 RODC's (2008R2).

Installation of the RODC's went perfectly.

I now try to use DCPROMO and get another RODC in my domain.

But I get error messages that the PRP (Password Replication Policy) isn't working and then  it stops.

an error occured while loading the default password replication policy is the message.

When trying to install the RODC like a normal DC (Writeable) I get the message that the active directory domain services could not replicate the directory partition.

The remote procedure feature failed !

All others went fine, but this one (installed over three tmes now) is a pain .... Also I used an other name.

Using DCPROMO in the past just did it all and  the RODC was installed and operational.  Never had this problem, so what info do you need to seriously help me ?

VPN is working just fine.

Ben.

Ben van der Meer


Building Organisation Hierarchy with Active Directory

June 9, 2013, 4:59 pm
$
0
0

Hello,

Our client is an government agency with around 5000 staff members. Currently, all details of departments and units are stored within oracle database. For so many reasons, we would like to move the hierarchy to Active Directory (Windows 2012). Example of how we will use the hierarchy: Access to a certain system for users in a certain unit. Internal eServices portal where a request goes to the person manager or VP for approval, then goes up in the hierarchy. etc..

The hierarchy has multiple levels (seven at max) . 

We have the current situations:

- There is a case where one person manages 2 or more different departments at the same time

- The details of each unit must include who's the manager of that unit

The Question: 

What is the best way to implement that hierarchy?

Thanks a lot :)

DHCP

June 15, 2013, 10:03 pm
$
0
0

hi

in windows server 2012 i enable DHCP Server .

i create new scope 

start IP:10.10.10.1 

End IP:10.10.10.40

add exclusion IP:10.10.10.1 to 10.10.10.20

i want to give ip address to Server form range exclusion and Give Ip address to client form 10.10.10.20 to 10.10.10.40

how can do it ?

sorry for bad writing English ?

I Love God,because he help me to find Technet.

how can delete the Favorites URL in existing group policy?

June 11, 2013, 10:55 pm
$
0
0

Hi

I have one GPO in which i have added lots of Favorites. Now client wants to delete some URL from Favorites.  I have deleted from GPO but those URLs are not removing from client machines IE Favorites.

How can I remove  and rename old existing URL..

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>