Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DCDIAG /TEST:DNS RETURNS Broken Delegation errors showing for all DCs

July 24, 2013, 10:33 am
$
0
0

Hi Team,

Whenever i run the DCdiag dns test, my test is getting failed to due to broken delegation error. Please find the below report.

[Broken delegated domain cont.com.cont.com.]

                 Error: DNS server: nc-win-dc01.cont.com. IP:10.1.1.1

                  [Broken delegated domain cont.com.cont.com.]

                  Error: DNS server: nc-win-dc02.cont.com. IP:10.2.2.2

                  [Broken delegated domain cont.com.cont.com.]

                  Error: DNS server: px-win-dc01.cont.com. IP:10.2.2.2

As per my understating,  in the above error, cont.com cont.com - it is repeating two times. So, i went on to my cont dns zone under .com folder and There i am able to find one more cont folder with one A record alias. Additionally that record also exist under the forward lookup zone.

Like the below similar way,

Forward Lookup Zones
   | - cont.com
              | - com
                     | - cont

Deleting the domain folder uder "com" will solve my problem.!?

if yes, why that particular cont folder is created under with some alias record?

Please help me to understand and resolve my issue.

Regards, Dev 

Search

Testing client LDAP signing

July 24, 2013, 1:36 am
$
0
0

We need to test  changes on our clients who are logging Event ID 2889 

"The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection."

Event 2887 suggets following  http://support.microsoft.com/kb/935834 on directory servers to reject unsigned binds.
I do not want to configure the server signing and break some applications running before testing as it says

 "Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change"

Can I make configuration changes on only one of my directory server to test LDAP signing and on one of the client configure the local computer policy -
Network security: LDAP client signing requirements - Require signing

Please suggest what else is required on client side to get this work.

 

Deploy DFS to large enterprise

July 23, 2013, 8:34 am
$
0
0

What is the best way to deploy Distributed File System (DFS)  to a large enterprise where you want user folders created for all domain accounts?  Is there a script or powershell script to create the namespace subfolders? or is this part of the setup possibly?

For example:

\\domain.contoso.com\user\john

\\domain.contoso.com\user\beth

\\domain.contoso.com\user\bob

thanks!

Also, is there a way to change there documents folder to point to the \\domain.contoso.com\user\ with possibly a login script or home directory?

How to remove Lingering Links

July 23, 2013, 9:54 pm
$
0
0

Hi Experts,

Anyone know how to remove Lingering Links from AD

More abt lingering Links - http://blogs.technet.com/b/exchange/archive/2011/09/14/how-lingering-links-can-impact-oab-generation-process.aspx

Regards, Nidhin.CK

Unable to change thumbnail photo: Set-ADUser: cannot bind parameter 'Replace to the target.

July 24, 2013, 2:18 am
$
0
0

Hi

Yesterday, I thought I would recreate a client's SharePoint web app in my (private) hyper-v setup.  since I wanted to import my test users profile / thumbnail photos into win2008R2 AD, I thought I would quickly search  Google images and select from the motley collection of Goths, Ghouls, Orcs, Trolls and Punk icons in jpe format. I know that we need to keep the image in jpeg format under 10K and around 200x200 px so I imported some of them into Gimp, resized and exported. They can all be previewed.

Next, I quickly wrote some PS to run on my AD that enumerates all my users in my AD (OU) and if it finds a corresponding thumbnail photo it replaces the the one currently in AD.So what can possibly go wrong.........

Note AD properties stores images in hex format. I have tried to set Binary but this setting does not seem to persist.

I am able to set the company property for my user but not apparently the thumbnail img .Any ideas .. do I need to run some wizzy importing program ? do I need to service pack my AD?

Regards

Daniel

                                 



LDAP Traffic Increased since Installing 2012 Domain Controllers

July 24, 2013, 7:53 am
$
0
0

Hi,

Hope someone can help. 

Just some background on our environment.  We have a Root Forest(2003 Forest Level) and then 1 Seperate Child Domain(2003 Domain level) in this forest.

the Child forest is where our clients main Active Directory is hosted.  The Root Forest domain controllers sit in a Datacenter along with some Child Domain DC's. We then have multiple sites with Domain Controllers that connect over a WAN link.

We recently started Upgrading the Domain Controllers on the sites to Server 2012 Domain Controllers. Schema Version is confirmed to be on Server 2012.

We have noticed that our LDAP traffic over the WAN has increased Significantly since migrating to 2012 Domain Controllers, around 2GB of LDAP traffic is transferred over a 24 hour period from 1 DC to the Server hosting the Domain Naming Master Role, we have 2 DC's per site, that is  4GB of LDAP data over a WAN link in a 24 hour period.  

To try see what was causing it or how we found that it was the 2012 DC's ONLY we ran a netstat -a on the server and saw a number of Connections to the Forest Root Server holding the Domain Naming Master and Schema Master role.  then on the this Root Domain Controller we ran the same command and found that it had connections to all the new 2012 Domain controllers at the remote sites +/-10 DC's.  The server holding these 2 roles was a 2003 server and at 1st we thought this might be the reason, so we proceeded to bring in a 2012 Domain Controller in the Root Forest where we had only 2008R2 and 2003 Domain Controllers.  After we installed the 2012 Domain Controller we moved the Roles, we put the Domain naming master on the 2008 Server and the Schema Master on the new 2012 Server.  We left it for a day or 2 to see if the traffic still showed up, but this time it started talking to the 2008 Domain Controller holding the Domain naming master role.  We have now moved the role onto the 2012 Domain Controller. and run a Packet capture using Wireshark and as suspected the traffic has now started talking to the 2012 Domain Controller. 

See image.  Maybe this can help 

Somehow it has something to do with the Domain naming master, just no idea what.

Any advice would be appreciated. 



cannot post anything in community

July 21, 2013, 9:42 pm
$
0
0

Hi Colleagues,

I cannot post anything in community.

please help.

"""Body text cannot contain images or links until we are able to verify your account""

regards,

Dharanesh,

unable to create new OU at Active Directory, getting error "name related properties may be out of sync"

July 23, 2013, 3:16 am
$
0
0

Hi,

I am unable to create a new OU or rename an existing OU at active directory, getting the below error (attached the screenshot for reference):

I have checked the available disk size in C drive is 5.5 GB

What can be the possible reason for this? Please suggest the resolution steps for the same.

Quick response will be really helpful.

Thanks in advance.

Sanjog

Search

Active Directory Diagnostics not running in PerfMon

June 7, 2013, 7:41 am
$
0
0

Hello all!

I am trying to run Active Directory Diagnostics in Performance Monitor to address an lsass issue in which lsass consumes too much CPU. 

I opened PerfMon from an elevated Command Prompt and expanded the tree: Data Collector Sets -> System -> Active Directory Diagnostics.  I right-clicked Active Directory Diagnostics and selected "Start."  The diagnostic is supposed to run for 300 seconds and then generate a report.  Problem is, nothing happened after that.  If I right-click Active Directory Diagnostics again, the "Start" option is greyed out. 

Under Reports -> System -> Active Directory Diagnostics, there are no items to show.

I consulted the following Microsoft Document: http://support.microsoft.com/kb/971714 and found the following file path where the reports should be located: %systemdrive%\Perflogs\ADDS\<var>date report generation run</var>\*.  But there is no ADDS folder and the Admin folder that is there is empty.

Has anyone seen this before?  If so, how did you resolve it?

Thanks.

Sysprep.exe with or without "Generalized"?

October 25, 2011, 9:45 pm
$
0
0

Can anyone tell me what the difference between sysprep.exe with or without "Generalized" Option?

Another question is, is it possible to join a computer to domain contorller if they have the same SID (I clone them from a single image)?

Thank all beforehand for answering my questions :)

Native AD LDS principals - ldp.exe 3.0 can no longer do simple binds - this used to work

July 25, 2013, 6:22 am
$
0
0

I created a stand alone LDS instance, created native AD LDS users and was able to authenticate using simple bind using LDP.exe 3.0.  Then I tried adding windows principals to the same LDS instance and was not able to bind these windows principals using simple bind or SASL with LDP.  But here is what I am concerned with.  I can no longer do a simple bind with the native AD LDS users that was working before.  I tried resetting passwords, but that did not help.  I have confirmed those users are enabled.

Here is the error:

res = ldap_simple_bind_s(ld, 'CN=UserAdminRole,O=Microsoft,C=US', <unavailable>); // v.3

Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

Server error: 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 2030, v1db0

Error 0x8009030C The logon attempt failed

-----------

Can a single AD LDS instance contain both AD LDS native users and windows principals and still be able to bind native AD LDS principals successfully using simple bind?

What did I do to break what was working before?

Thanks

leo


Error in update new objectClass in exsting AD LDS record

July 24, 2013, 7:06 am
$
0
0

I am getting error (Object_Class_violation, ERROR code 65), When i am adding new objectClass in existing AD LDS record.

I can create user (FULL control in ACL permission), so i don't think issue with permissions.

Here is ldif:

dn: cn=User12,o=examples
changetype: modify
add: objectClass
objectClass: customObjectClass23
-
add: customMustAtt02
customMustAtt02: 121365
-

Thanks

Event ID: 2886

October 25, 2008, 7:58 pm
$
0
0
Hello

In my 2008 DC, I am getting this event:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 6/12/2008 4:04:10 PM
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: CSD-6700.csd.lan
Description:
The security of this directory server can be significantly enhanced by
configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or
Digest) LDAP binds that do not request signing (integrity verification) and
LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted)
connection. Even if no clients are using such binds, configuring the server
to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple
binds over a non-SSL/TLS connection, and will stop working if this
configuration change is made. To assist in identifying these clients, if
such binds occur this directory server will log a summary event once every
24 hours indicating how many such binds occurred. You are encouraged to
configure those clients to not use such binds. Once no such events are
observed for an extended period, it is recommended that you configure the
server to reject such binds.


What can I do to stop this event

Thanks in advance

Delmira

 

Type of Directory Service in windows server 2008?

July 25, 2013, 8:19 am
$
0
0

Hi all,

I have a question, "Identify the types of directory services?" (windows server 2008)

I already search around, but I'm still found the answer yet..

Is there anyone here could explain the answer about my question..

Regards,

LouPram



DNS questions

July 25, 2013, 12:38 pm
$
0
0

We  try to set up a DNS server to block any external IP address going-in and allow internal servers and IPs only--- like a DMZ zone.

How to set it up in DNS servers? I think  this can only be set up in firewall but someone said it can be done on a DNS server.

Search

Active Directory Saved Query

July 24, 2013, 10:43 pm
$
0
0

Hi Im trying to find all users in the security group in our active directory domain. 

What is the proper search query i should use during saved query creation. 

thank you

Can we use lastlogon parameter and pwdlastset attribute to remove inactive users from AD

July 25, 2013, 12:23 am
$
0
0

Hi

Can we use lastlogon parameter and pwdlastset attribute to remove inactive users from AD

Problems joining a Windows 7 Machine to a Windows 2003 Domain Controller.

July 25, 2013, 9:38 am
$
0
0

I've got an interesting problem that I'm hoping someone has seen before...

Mixed Domain Controller Environment: W2K3 & W2K8R2

Domain Functional Level: Windows Server 2003

Forest Functional Level: Windows Server 2003

I have a MDT Task Sequence in my SCCM 2012 Environment. When the deployed computer attempts to join the domain if it connects to a W2K8R2 DC it will join no problem, if it connects to a W2K3 DC I get the following error in the NetSetup.log:

07/25/2013 07:14:26:818 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

I have created a Windows 7 OU and assigned the following permissions to the Service Accounts so I'm pretty sure it isn't a permissions issue:

Scope: This object and all descendant objects

  • Create Computer objects
  • Delete Computer objects

Scope: Descendant Computer objects

  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Modify Permissions
  • Change Password
  • Reset Password
  • Validated write to DNS host name
  • Validated write to service principal name

Hoping someone has seen this before or has an idea of where to go from here.

Chris

<input id="d4b59f81-2927-41a7-aa20-98ad308b0df4_attachments" type="hidden" />

ldapsearch example with SASL bind

July 25, 2013, 7:24 am
$
0
0
I am trying to do OpenLDAP integration with Microsoft AD/LDAP. For
some initial troublehooting purpose, I am looking for using ldapsearch
command with SASL bind (DIGEST-MD5).

Can anyone give me the exact syntax for how to use ldapsearch command
with SASL bind for active directory ? Appreciate your help. I have
been trying out whats there over the web but no luck yet.

Thanks.

AD Architecture Question

July 25, 2013, 4:27 am
$
0
0

I know i should be able to find this, but i haven't found a good discussion.

I need to build a hosted environment - hosted Active Directory is the easiest way to explain it, for user auth. It would be nice to have have a structure like:

 mycloud.com with admin accounts, and each customer would be a subdomain - client1.mycloud.com; client2.mycloud.com, etc. But the problem i see with this is the inherent 2 way trusts if all domains are part of one forest.

So the logical solution seems to be multiple forests with one domain each - and each of these customers forests would trust the admin forest - so that admin accounts to do work in all customer domains. But of course, now I have all the infrastructure and maintenance required for forests for each customer. The other draw back is the naming relationship doesn't exist that i specified in the beginning. 

If I did the multiple forest model, could i create DNS alias entries for the DCs that made it look like they were related - client1.mycloud.com and issue SSL certs to the DCs for LDAP and other services, or would the DCs not be happy with this?


Are there better solutions? Any links would be helpful.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>