Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Error joining domain - The service cannot accept control messages at this time

December 10, 2010, 11:31 am
$
0
0

Hello,

I'm having a strange issue connecting a Windows 2003 Server to my domain.

BACKGROUND

We have a production environment with several critical virtual servers.  We also have an isloated DR environment.  When performing a DR test we clone a copy of the VM and transfer it over the DR environment.  The DR environment has it's own AD environment which is also a copy of our live environment.  The DR and Prod AD environments are seperate from eachother and for this reason can safely use the same Domain name.

I have clone several VMs and have been copying them into the DR environment.  Because the AD environments are seperate I always remove and rejoin the servers to the domain after they have been copied into the DR environment.  This usually works, however I am trying to do it with one server and I am getting the error message:

The following error occurred attempting to join the domain "MYDOMAIN.local":

The service cannot accept control messages at this time.

I have verified the IP address information.  I am also able to use NSLOOKUP and resolve the names of the DC's.  I can ping the DC that's located in the DR and have added other client machines without any problems.  Any suggestions?

 

Search

AD 2012 issue with deleted users still reside in the directory

July 18, 2013, 6:09 am
$
0
0

Hi,

Let me start from the AD setup I have: WS 2012 (Primary DC), WS2003 (Secondary), 2 x 2008R2 DCs.

I had a child OU (Test) in one of the root OUs (Sales Users) and I was trying to move Test OU to the root out of Sales Users by dragging and dropping it. As soon as I release the mouse button to drop the OU I received the message that I needed to confirm the operation. As soon as I did both Test and Sales Users disappeared. However, Sales Users still stayed in the root directory but without a regular icon and I wasn't able to access it neither I could delete it. Some time after Sales Users OU disappeared as well, so I was hoping to recreate and start creating users. Replication worked just fine, because as soon as I realized that I have a "ghost" folder and users I tried to login to other DCs but they already have the corrupted folder.

I created the OU, but when I try to recreate users with the same names it's giving me the following error: "Windows cannot create the new users object because the pre-Windows 2000 logon name "user's name" is already in use. Select another name, and then try again." All users still able to login using their domain names and passwords, but none of them can be found.

Any advice would be appreciated. My goal is to delete those users, fix the AD structure and recreate them again.

Thank you,

Alex

Unable to promote server to domain controller after demoting it...!

July 15, 2013, 12:23 am
$
0
0

Hi everyone,

Here is the story. I have 2 domain controllers, 1. pv-dc01 and 2. pv-dc01rep(replica). The software that I have used for the servers is the server 2012 evoluation. Now as u may know, before activating this software I needed to disjoin the domain controllers. So I did that. 

First I did it to pv-dc01rep. THe procedure was good. Now after I demoted pv-dc01, I couldn't rejoin it again! I've tryed to add the domain controller to an existing domain and got the following message: Verification of replica failed. Failed to examine Active Directory forest. The error was: Expected value ridMasterDSA.parentDN not found.

Can anyone please help me with this? THanks in advance!


ADFS 2.0 compatibility with ADFS 3.0

July 22, 2013, 9:23 am
$
0
0

We are using ADFS 2.0 for SSO and we want to upgrade to server 2012 and it uses native 3.0.  We are using an outside vender that uses the ADFS 2.0. If we do the upgrade to server 2012 and ADFS 3.0 will it break the connection to the vender. 

My Question is are they compatible?

How to transfer profile information to one domain to other domain

July 22, 2013, 4:59 am
$
0
0

Hi 

Now now i am having one domain(ABC.com) with 700 computer and now my organisation is plan to change our domain name due to some reason.

They have some requirement in this migration . They want same profile and files in user desktop when they logged in to new domain. 

Same files and profile configuration has to be loaded when they logged into new domain .

how to do that any idea please help.

Regards

Guna

AD Accounts getting locked out

July 22, 2013, 8:41 am
$
0
0
We are having a problem where accounts get randomly locked out. It happens the most over the weekend. I have checked the event viewer and doesn't show the computer that the account was logging onto. I have Manage Engine ADAudit. It shows the user was trying to log on one of the domain controller then logging into another domain controller. We have had this problem for sometime. Can't find a reason for it, some users do have smartphones. But some of the users that get locked out don't have their email setup on their phones.  

Forest trust design with multiple network segments

July 22, 2013, 9:14 am
$
0
0

We have three firewalled network segments A | B | C.

A = our existing internal forest
B = a single DC to be stood up specifically to create this trust
C = external forest

B is necessary as we are unable to make A directly routable to C and want to avoid NAT'ing.  Long story.

We have opened all ports between the new DC in B, and the existing DCs in A.  We will probably do the same for the new DC in B, and one or all DCs in C.

Forest in A is 2003, forest in C is 2008R2.

Questions:


1) The member servers and workstations in A cannot communicate with the DC in B. Should any additional config be done to account for this?  (e.g. can/should we restict all authentication to the DCs in A, or will AD just 'figure it out')

2) The DC's in A cannot see the DC's in the external forest in C. Should any additional config be done to account for this?

3) Is this what I should use if we were to restict by port? : http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx


Thanks,
Jaime

access denied after changing group scope

July 22, 2013, 7:42 am
$
0
0

Hi,

Because of a corporate merger, we merged two ADDS Forests into one common forest/Domain (oldDom ->newDom). We migrated all subjects (users/groups) from olddom tonewDom. We included the objetSid from oldDom as sidHistory in newDom. Therefore access to resources was never a problem. Right now there are still many resources inoldDom. But nonetheless its necessary to clean things a bit up. This is because inoldDom had a strange tendency to create loads of global/universal scoped groups for resource-access (instead of DomainLocal Groups). So we decided to change group scopes to DomainLocal innewDom. We tested the scope-change on a test-group. But as soon as we changed scope innewDom to DomainLocal, access to the corresponding resource was denied. After a bit of testing (see table after text) we figured out, that access is only granted when changing the group innewDom to DomainLocal and also changing the corresponding group inoldDom to DomainLocal. Of course it's possible to change both groups – but before we do that we need know exactly why this is necessary.

Here the table from our testing

oldomScope   newDomScope   access

universal         universal             ok

global              universal             ok

domainLocal   universal             nok

universal         global                  ok

global              global                  ok

domainLocal   global                  nok

universal         domainLocal         ok

global              domainLocal         ok

domainLocal  domainLocal       ok

best regards

Pirmin

Search

MSMQ Acitve Directory Integration Permission

July 23, 2013, 9:45 am
$
0
0

Hi,

I have an application that uses MSMQ Active Directory Integration.

While installing the application if i run as domain admin i am able to install that application.

But as a normal user i am not able to install it.

How to give a normal user the permission for MSMQ Active Directory Integration?

What are the minimum permissions needed for this ?

regards, Faisal

Migrate a Windows Server 2000 to 2012

July 23, 2013, 9:18 am
$
0
0

I have a very small domain (25 users) with the server being used as the DC and some very limited (36 Gb) file sharing, including a QuickBooks Db.  I'm going t replace this with a new server running 2012 standard.  Is there any 3rd party software out there to assist with this migration or would I be better off just doing it manually, creating the file shares and users, then joining the computers to the domain on site?

-Jim

-Jim

User Role in AD LDS - what is its purpose?

July 23, 2013, 8:26 am
$
0
0

If a member of the User role cannot read the DIT in AD LDS, then how does it authenticate?

What is the purpose of the User role in ad lds?

Thanks,

leo

AD LDS Windows Principals - authenticating fails with ldp.exe

July 16, 2013, 1:19 pm
$
0
0

I am able to authenticate native AD LDS users in the Readers role successfully using ldp.exe and my app.  Now I want to test Windows Security Principals.  So on my LDS box I created a local Windows user under computer management.  Then I add the windows user to the member attribute of the Readers role. From another box I run ldp.exe and connect to my lds box.  When I try and do a simple bind using servername\username, I get:

Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

Server error: 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 2030, v1db0

Error 0x8009030C The logon attempt failed

I am certain that the password is correct.  Also the LDS server is not on a domain.  What am I doing wrong?  As I said I can use the same method to authenticate my LDS users.

Thanks,

leo

How to Design Branch Office with Single Domain Model

July 15, 2013, 4:34 am
$
0
0

HI,

    We are going to set up 2 branch office through PTP link at different locations from our Main office.

Our Main office has

1. Single Forest, Single Domain with Active directory, DNS and DHCP installed with around 600 Users. OS level is Windows Server 2008 R2.

2. Additional Domain controller is installed in a Virtual Machine

3. 1st Branch is located 40 Kms approx from our Main Office and the 2nd Branch is located 20 Kms approx from our 1st Branch Office.

4. We are going to use 8 MBPS leased line (WAN Link).

5. Most of the Users in our Company will be working in Main Office and in both the Branch offices.

6. We Plan to have 1 engineer each at both the branch offices who should not be a domain admin.

Kindly suggest a design Plan.

My Question is:-

Can i install RODC at both the Branches or Should i install two child domains at the branch office or should i create two Sites and link it to our Main Office.

Any other design plans also welcome..

Thanks in  advance.



Remove old Exchange OWA Cert Authority

July 23, 2013, 12:30 pm
$
0
0

We keep receiving the following error messages on our Domain Controllers every 8 hours -

"System Error: Source: DistributedCOM

DCOM was unable to communicate with the computer exchange.domain.local using any of the configured protocols."

I ran certutil -dump and see an old OWA CA from our old 2003 Exchange server.

This old Exchange server was decommissioned long ago.  What do we need to do to remove this CA from Active Directory?

C:\Users\Frank>certutil -dump
Entry 0:
  Name:                         `domain'
  Organizational Unit:          `'
  Organization:                 `Organization Name'
  Locality:                     `Main'
  State:                        `AK'
  Country/region:               `US'
  Config:                       `exchange.domain.local\domain'
  Exchange Certificate:         `'
  Signature Certificate:        `'
  Description:                  `OWA'
  Server:                       `exchange.domain.local'
  Authority:                    `domain'
  Sanitized Name:               `domain'
  Short Name:                   `domain'
  Sanitized Short Name:         `domain'
  Flags:                        `1'
  Web Enrollment Servers:       `'

Thanks,

DFS Site shows as "No site association" after OS upgrade

July 23, 2013, 11:03 am
$
0
0

Hi,

I upgraded one of my DFS servers from W08SP2 to W08R2SP1.  Now the server shows the correct Site in the DFS Management GUI, but via dfsutil the Site information shows as "No site association" for each of the 4 dfsroots it holds. 

I tried removing the server from one of the dfsroots and then added it back, but that doesn't change the site status.

Any suggestions?

Thanks!

 

Search

RODCs containing FRS backlog files

July 23, 2013, 8:20 am
$
0
0

I just did an ADRAP and one of the things identified is a large number of backlogged files for SYSVOL on my RODCs.  We still use FRS for our SYSVOL, we have a mix of 2008 and 2008 R2 RODCs, and they are all showing a high number of backlogged files. The R2 systems are showing a higher number actually, even though they are newer RODCs, and haven't been in the environment as long.

I have a couple questions

1. Is this even a problem?  SYSVOL doesn't replicate from the RODC out to a WDC

2. If it is a problem, how can I troubleshoot this?  The FRSdiag tool looks pretty slick, but according to the download link (http://www.microsoft.com/en-us/download/details.aspx?id=8613) it is only supported for server 2003.  

The security database on the server does not have a computer account for this workstation trust relationship

July 18, 2013, 3:04 pm
$
0
0
This problems exists in the below Environment

ForestA, has been around awhile, has one domain Called DomainQ

ForestC, is new, has one domain called DomainR

ForestC has a one way transitive trust to ForestA and shares a namespace. Dns connectivity is in place, NTP is working correctly where ForestC pulls its time from ForestA and users in ForestA have been permissioned on devices in ForestC.

Below is the netlogon dump and log files that look relevant, it's odd because I get a successfully logged on message but the users is prompted with "The security database on the server does not have a computer account for this workstation trust relationship" and when the click on they are back at the logon prompt. Nothing related to that error message that I have tried has helped.

http://technet.microsoft.com/en-us/library/ee849847%28WS.10%29.aspx

The above was not any help as this is a one way transitive forest trust so the trust level is already 2. The other 5 suggested links were also not useful.

07/18 12:18:29 [LOGON] [556] SamLogon: Network logon of DomainQInForestA\UserInDomainQ from UsersDesktopInDomainQ Returns 0x0
07/18 12:18:33 [LOGON] [556] SamLogon: Network logon of DomainQInForestA\UserInDomainQ from UsersDesktopInDomainQ Entered
07/18 12:18:33 [LOGON] [556] SamLogon: Network logon of DomainQInForestA\UserInDomainQ from UsersDesktopInDomainQ Returns 0x0
07/18 12:18:33 [MISC] [556] DsGetDcName function called: client PID=1636, Dom:DomainQInForestA Acct:(null) Flags: RET_DNS
07/18 12:18:33 [MISC] [556] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c03ffff1
07/18 12:18:33 [MAILSLOT] [556] NetpDcPingListIp: DomainQInForestA.My.Forest.Name: Sent UDP ping to IPv6AddressUniquetoDCinDOmainQ
07/18 12:18:33 [MISC] [556] NetpDcAllocateCacheEntry: new entry 0x000000D29F24EB50 -> DC:DCinDomainQ DnsDomName:DomainQInForestA.My.Forest.Name Flags:0x71fc
07/18 12:18:33 [MISC] [556] NetpDcGetName: NetpDcGetNameIp returned 0
07/18 12:18:33 [MISC] [556] DsGetDcName: results as follows: DCName:\\DCinDomainQ.DomainQInForestA.My.Forest.Name DCAddress:\\IPv6AddressUniquetoDCinDOmainQ DCAddrType:0x1 DomainName:DomainQInForestA.My.Forest.Name DnsForestName:My.Forest.Name Flags:0xe00071fc DcSiteName:SiteInDomainQ ClientSiteName:SiteInDomainQOfClients
07/18 12:18:33 [MISC] [556] DsGetDcName function returns 0 (client PID=1636): Dom:DomainQInForestA Acct:(null) Flags: RET_DNS
07/18 12:18:33 [MISC] [2800] DsGetDcName function called: client PID=4, Dom:DomainRinForestC.SpecialProject.My.Forest.Name Acct:(null) Flags: IP KDC
07/18 12:18:33 [MISC] [2800] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c03ffff1
07/18 12:18:33 [MISC] [2800] NetpDcGetName: DomainRinForestC.SpecialProject.My.Forest.Name using cached information ( NlDcCacheEntry = 0x000000D29F269FC0 )
07/18 12:18:33 [MISC] [2800] DsGetDcName: results as follows: DCName:\\DCinDomainRinForestC.DomainRinForestC.SpecialProject.My.Forest.Name DCAddress:\\IPv4AddressofDCinDomainRinForestCDCAddrType:0x1 DomainName:DomainRinForestC.SpecialProject.My.Forest.Name DnsForestName:DomainRinForestC.SpecialProject.My.Forest.Name Flags:0xe00071fc DcSiteName:Default-First-Site-Name ClientSiteName:Default-First-Site-Name
07/18 12:18:33 [MISC] [2800] DsGetDcName function returns 0 (client PID=4): Dom:DomainRinForestC.SpecialProject.My.Forest.Name Acct:(null) Flags: IP KDC
07/18 12:18:34 [SESSION] [2912] I_NetLogonGetAuthData called: (null) DomainRinForestC (Flags 0x1)  
07/18 12:19:16 [SESSION] [1968] I_NetLogonGetAuthData called: (null) DomainRinForestC (Flags 0x1)  
07/18 12:19:29 [MISC] [2912] DsGetDcName function called: client PID=916, Dom:(null) Acct:(null) Flags: DS BACKGROUND
07/18 12:19:29 [MISC] [2912] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c03ffff1
07/18 12:19:29 [MISC] [2912] NetpDcGetName: DomainRinForestC.SpecialProject.My.Forest.Name. using cached information ( NlDcCacheEntry = 0x000000D29F269FC0 )
07/18 12:19:29 [MISC] [2912] DsGetDcName: results as follows: DCName:\\DCinDomainRinForestC.DomainRinForestC.SpecialProject.My.Forest.Name DCAddress:\\IPv4AddressofDCinDomainRinForestCDCAddrType:0x1 DomainName:DomainRinForestC.SpecialProject.My.Forest.Name DnsForestName:DomainRinForestC.SpecialProject.My.Forest.Name Flags:0xe00071fc DcSiteName:Default-First-Site-Name ClientSiteName:Default-First-Site-Name
07/18 12:19:29 [MISC] [2912] DsGetDcName function returns 0 (client PID=916): Dom:(null) Acct:(null) Flags: DS BACKGROUND
07/18 12:22:17 [SESSION] [1040] DomainRinForestC: NlTimeoutApiClientSession: Unbind from server \\DCinDomainRinForestC.DomainRinForestC.SpecialProject.My.Forest.Name (TCP) 1.

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Type:            3

Impersonation Level:        Impersonation

New Logon:
    Security ID:        DomainQInForestA\UserInDomainQ
    Account Name:        UserInDomainQ
    Account Domain:        REDMOND
    Logon ID:        0x81D94
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x0
    Process Name:        -

Network Information:
    Workstation Name:    UsersDesktopInDomainQ
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    NTLM V2
    Key Length:        128

PDC emulator isolated from member computers

July 23, 2013, 8:19 am
$
0
0

We'd like to add a DC to our existing domain, and move the PDC role to it.  The new DC will be in a DMZ where it has full routability to all other domain DCs, but zero routability to all other member computers.

Is this a viable design?

Thanks,

Jaime

IPv6 without autoconfiguration

July 23, 2013, 12:20 pm
$
0
0

I'm trying to figure out how to get rid of autoconfiguration and auto-anything in IPv6.

I don't want to expose my MAC addresses. I want to have static IP addresses on my servers, and I want to decide which gateway they use.

I want to have DHCP reservations for all my workstations and I want to define in the DHCP scope (or elsewhere) all the networking parameters for the systems on the network.

I have a simple network with one LAN one DMZ and one firewall/router. It is not appropriate that the firewall/router is in charge of everything on the network. In case of a crisis it would get unplugged but my LAN has to continue to function without it.

I have the domain level at 2012, all the DCs are 2012 and the systems are all Window s7 or 8 and the servers at least 2008R2.

Can anyone help?

CarolChi

Can I temporarily give users rights to add a HKCU registry key through active directory, and after the key is added disable the rights?

July 23, 2013, 12:24 pm
$
0
0

I want to add a REG_Expand_SZ key to this path (HKCU\software\Microsoft\office\14.0\common\general\ for all users when they sign onto their computers.  However, we have restricted user access to edit their registries

Is there anyway through active directory that I can enable them to edit the registry after logging on to add this key, but then disabling it again after it is added?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>