Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Replication blocked but cant find lingering objects

August 6, 2013, 9:43 am
$
0
0

Hi,

I'm looking at a windows domain with 3 sites and a DC in each site.  A networking issue had prevented replication occurring for some time between the sites. This was discovered after some user account issues. All of the sites are now properly routable and replication is now occuring between 2 of the DCs BUT one of the DCs is blocking replication form one of the others as the date of the last successful replication is longer than the tombstone lifetime and mentions lingering objects.

There are plenty of guides out there on finding and removing lingering objects but the problem is I cant seem to find any.

I have no 1988 Directory Service log errors on any of the DCs so I cant establish what the lingering objects are (if there are any) and I also have tried repadmin /removelingeringobjects /Advisory_mode (with the right arguments of course) but the resulting events in the DS log say that 0 objects were examined and removed.

Am at a loss as to what to do next? How can i be 100% there are no lingering objects and is there any way to re-enable replication?  Or is it a case of removing the offending DC and promoting another?

Thanks

Patrick

Search

I got error when run adprep /domainprep

March 3, 2011, 12:08 am
$
0
0

I used Win2k8 and try to migrate to Win2k8 R2 I cannot promote win2k8R2 in our domain because when I run adprep /domainprep I got error Please read error below I ready run adprep /forestprep and have domain administrator user to run that. 

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
[2011/03/03:14:42:32.178]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=82112ba0-7e4c-4a44-89d9-d46c9612bf91,cn=Operations,cn=DomainUpdates,cn=System,DC=microbanker,DC=org.
[2011/03/03:14:42:32.178]
LDAP API ldap_search_s() finished, return code is 0x20 
[2011/03/03:14:42:32.178]
Adprep verified the state of operation cn=82112ba0-7e4c-4a44-89d9-d46c9612bf91,cn=Operations,cn=DomainUpdates,cn=System,DC=microbanker,DC=org. 

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.
[2011/03/03:14:42:32.178]
Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is CN=PSPs,CN=System,DC=microbanker,DC=org.
[2011/03/03:14:42:32.178]
LDAP API ldap_add_s() finished, return code is 0x10 
[2011/03/03:14:42:32.178]
Adprep was unable to create the object CN=PSPs,CN=System,DC=microbanker,DC=org in Active Directory Domain Services.

[Status/Consequence]

This Adprep operation failed.

AFTER SCHEMA UPGRADE: schupgr error "cannot obtain schema version to upgrade to 1"

August 5, 2013, 9:58 am
$
0
0

Hello People,

We had just upgraded the schema of a Windows 2008 R2 Domain (3 DCs all W2K8 R2, one of them RODC), we did the upgrade to Windows 2012 because we want to install SP3 of Exchange 2010 (we have currently Sp2 RU5).

We did the adprep /forestprep, and everything ok. We wait until 1 hour to do the domainprep.

We did the adprep /domainprep, and everythig ok.

We have check in the adsiedit that the schema version is 56, but we have an error if we launch the schupgr command:

>schupgr

Opened Connection to SRV-DC01 (Schema Master)
SSPI Bind succeeded
Current Schema Version is 56
ERROR: Cannot obtain schema version to upgrade to: 1

We don´t exactly know what is that ERROR about...

any suggest or test to do ?

thanks in advanced

Need help in configuring radius authentication for wireless network

August 7, 2013, 5:30 am
$
0
0

Hi All,

recently we have configured NAP & RADIUS for Wireless authentication, i have configured usingProtected EAP(PEAP).

client that are joined to domain able to connect without authentication, but i am unable to connect the non-domain joined laptops and mobile devices, can anyone assist me in doing this, if i can authenticated these clients using domain credentials that will be helpful to me....

Thanks

MCITP

Need powershell help

August 6, 2013, 12:54 pm
$
0
0

I need to look through all accounts in a specific OU, and look at a list of specific attributes (non-normal attributes), spit out a report of these settings (csv is fine, and preferred).  I then need to be able to go back and set one or more of these attributes for some or all of the accounts in this OU.

Anyone have a starting point?

Active Directory reporting

August 6, 2013, 6:22 pm
$
0
0

Hi All,

I'm looking for a way to export an Active Directory to CSV that contains a list of all user accounts, and the group memberships each user belongs to.

Can someone please help?

Windows Server 2012 Network > Need to split domain, and add a new exchange/lync server

June 18, 2013, 11:06 pm
$
0
0
Hello, I have this case scenario. Can you please provide guidance on the best solution to do this: Situation: My Domain: a.local Has: Exchange and Lync Runs: Windows Server 2012 Goal: I want to split the a.local domain into: a.local and b.local (rather than using AD Sites & Services). We want to split a.local into a.local and b.local, and have a separate LYNC and EXCHANGE server running on each one. What is your reccomended solution? Is this appropriate: 1. Buy a new server ServerB, install Windows 2012 on it 2. Use the server manager to make a brand new domain "b.local" on ServerB 3. Export the GPOs from ServerA to ServerB 4. Export the DNS Forwarders for Lync from ServerA to ServerB 5. Create a 2-way transient trust from ServerA to ServerB and now Lync and Exchange can mail each other? Please provide as much detail as you can, thank you so much! Regards, -calvin

Server functional level change from 2003 to 2008. Need suggestions.

August 7, 2013, 4:25 am
$
0
0

Hello Experts,

Environment : I have 30 DC's in my domain, single forest and single domain. 27 domain controllers are there in windows server 2008 R2 and other three are in windows server 2003 server across many sites.

I need to raise my domain functional level to windows server 2008 R2 for some requirements .For that. first i need to have the windows server 2003 domain controllers to be demoted and make that server as member server, because there are other roles also deployed on those machines like, SCCM, File server. Macfee.

I am bringing three new servers with Windows server 2008 R2 in place of that 2003 DCs and i will promote that as a domain controller and then i can raise my domain functional level to 2008.

Please suggest me how can i proceed with the activity? best practices? anything that i need to take care prior to the activity.

Is there any changes required in clients, AD sites and services, or anywhere i am missing? Please kindly help

Thanks,

DJ

Search

To modify group policies, is it fine to just replace the respective folder and files(which are already backed up from the same place) under the specific path for a given GPO inside the SYSVOL?

August 6, 2013, 10:48 pm
$
0
0

Hi,

In our test environment, we need to frequently modify the group policies in the AD. So we find it difficult to interact with GPMC every time we need to modify the policy. So we found out a new way of doing it as explained below.

1. Do  the needed  modification to the GPO

2. Go to the Specific path where that GPO information will be stored in SYSVOL and back it up.

3. Do the above mentioned steps for n number of modified set of the GPO.

4. When ever you need a specific set of modified group policies, just replace the existing file folders in the path with the already backedup files and folders to get a specific set of policies applied to the OU(also it requires to update some version numbers so that AD will detect that there is a change made to the GP and then it will be replicated properly.)

5.  Now verify that the policies you wanted are applied appropriatley.

The above mentioned steps are working fine for us. What I am worrying was, is there any ill effect to this?

Is it a Microsoft supported way to do changes in the GP and SYSVOL?

Thanks in Advance,

Sivabalan K


Sivabalan K

The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

August 7, 2013, 2:18 am
$
0
0

Hi,

I keep getting the below event logged when a DC's Dns services are restarted.

The DNS server was unable to create a resource record for 899494f1-fac0-4405-8bf4-d3d2326d0449._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

The server was demoted and promoted and the server received a new GUID but the server is still trying to register the 899494f1-fac0-4405-8bf4-d3d2326d0449._msdcs.domain.local entry. The entry does not exist in the domain.

I used the below article before we demoted the server and it however did not resolve the problem:

http://technet.microsoft.com/en-us/library/cc735667(v=ws.10).aspx

Does anyone have any ideas?

Thanks

Don

Kind Regards Don

Using Active Directory

July 31, 2013, 2:50 pm
$
0
0

As part of my regular job, I was asked to do a few things in our corporate AD (based on Win2008 R2), that require the use of groups policy.

(like allowing access to certain user to certain functions on certain servers - not admin access, or giving a user [not admin] the permissions to move other users from one OU to another).

Anyway, I am a software developer as well as a network engineer. I know that AD is and what it's for but I have never used it prior to 2 days ago.   I have learned the basics of creating OUs, thing related to managing users within the OUs but in order to perform the rather advanced things I am asked to I need to use the GPO. I have seen the GUI and adding new policy to an OU is easy but knowing which policy to add, how to configure it and what's possible at all is the difficult part.

Examples to what I need to achieve are: * Allowing access to certain user to certain functions on certain servers - not admin access *To give a user [not admin] the permissions to move other users (obviously not admins, maybe just users in a certain group) from one OU to another and so on.

I want someone to direct me to a website or resource to study the use of GPO for policy allocation for OUs or to any other resource that you may think be useful for me to achieve my needs.

Most of what I found online describes how to first set up AD but that's irrelevant for me - it's already set up in the company and works perfectly. I need to know where I can learn to do the things I mentioned in the examples above.

Thanks

Active directory group membership not replicated on RODC

August 5, 2013, 8:46 am
$
0
0

Hello,

We've a domain with 2 writable DC in head office and one Read-Only DC in branch office. We've some logon batches which mount the "network drives" to domain user profiles. Everything was working fine for a period. Now a day branch office users can access the network drives but not the share folders inside (the shared folder NTFS permissions are applied by "group" not by user account), but if we apply the permission by user that works fine.

I believe that there are some problems with Active directory replication which generates these type authentication problems, but couldn’t find how to resolve it. Your help will be highly appreciated.

For information:

  • RODC is configured as GC
  • On writeable DC, no      errors
  • Writeable DC is connected to RODC server via VPN, all traffic is allowed

***Here is the result of command DCDIAG on RODC server***

Starting test: DFSREvent
Errors or warnings detected in the last 24 hours
after sharing SYSVOL. Problems related to the failure of the
SYSVOL replication can cause problems Strategy
group.
......................... The test DFSREvent
RODC – succeeded

Starting test: SystemLog
A warning event occurred. Event ID:
0x000003F6
Time generated: 08/05/2013 5:05:28 p.m.
Chain of events:
Name resolution 20.3.168.192.in-addr.arpa expired when no
No one answered the configured DNS servers.
......................... The test SystemLog
RODC – succeeded
Starting test: VerifyReferences
......................... The test VerifyReferences
RODC – succeeded

****Here are some logs generated on RODC server***

-------------------------------------------------------------------------------------------

Journal Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 23/07/2013 6:47:09
Event ID: 1224
Task Category: Internal Processing
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: RODC.domaine.local
description:
An attempt to automatic update by the local domain controller information on one or more computer objects, or objects Server Settings objects failed.

This operation will be retried after the interval.

Interval (minutes):
5

additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.

Internal ID:
32b0980
XML Event
<event Xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> [^]
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768"> 1224 </ EventID>
<Version> 0 </ Version>
<level> 3 </ Level>
<task> 9 </ Task>
<Opcode> 0 </ Opcode>
<keywords> 0x8080000000000000 </ Keywords>
<TimeCreated SystemTime="2013-07-23T04:47:09.392120800Z" />
<EventRecordID> 4303 </ EventRecordID>
<Correlation />
<Execution ProcessID="464" ThreadID="644" />
<channel> Directory </ Channel> Service
<Computer> RODC.domaine.local</ Computer>
<security UserID="S-1-5-7" />
</ System>
<EventData>
<Data> 5 </ Data>
<Data> 32b0980 </ Data>
<Data> 1355 </ Data>
<Data> The specified domain does not exist or could not be contacted. </ Data>
<Data>
</ Data>
</ EventData>
</ Event>

-----------------------------------------------------------------------------------------------------------------

Journal Name: DFS Replication
Source: DFSR
Date: 31/07/2013 9:00:13 p.m.
Event ID: 5014
Task Category: None
Level: Warning
Keywords: Classic
User: N / A
Computer: RODC.domaine.local
description:
The DFS Replication service is currently stopping communication with partner CAMBRIDGE replication group Domain System Volume due to an error. The service will attempt to re-establish the connection regularly.

Additional Information:
Error: 9036 (Paused for backup or restore.)
Connection ID: 0EACF62C-C9AE-4618-8A10-F6A3057ACB45
Replication Group ID: BE3F2387-162A-44A2-AF29-A637618C6A3C
XML Event
<event Xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> [^]
<System>
<Provider Name="DFSR" />
<EventID Qualifiers="32768"> 5014 </ EventID>
<level> 3 </ Level>
<task> 0 </ Task>
<keywords> 0x80000000000000 </ Keywords>
<TimeCreated SystemTime="2013-07-31T19:00:13.000000000Z" />
<EventRecordID> 1061 </ EventRecordID>
<channel> DFS Replication </ Channel>
<Computer> RODC.domaine.local </ Computer>
<security />
</ System>
<EventData>
<Data> 0EACF62C-C9AE-4618-8A10-F6A3057ACB45 </ Data>
<Data> CAMBRIDGE </ Data>
<Data> Domain System Volume </ Data>
<Data> 9,036 </ Data>
<Data> Paused for backup or restore. </ Data>
<Data> BE3F2387-162A-44A2-AF29-A637618C6A3C </ Data>
</ EventData>
</ Event>

Thanks in advance for your help!!!


replication occurs after an hour

August 7, 2013, 2:08 am
$
0
0

Hello

I am running 2 DCs in a test environment. The second DC joined my test domain yesterday and I noticed that replication occurs every 1 hour. Is this the default time? Is it advisable to reduce it?

At the moment DC1 replicates DC2 but any changes on DC2 does not get replicated to DC1. Is this how it should be?

Many thanks

DFS-N Deployment Quota and Restrictions

August 2, 2013, 5:11 pm
$
0
0

What is the best method to setup quota's and restrictions for DFS-N Namespaces?  Is FSRM the best practice or is there a way within DFS to set quotas?

Also,

what are the best practice settings for a namespace referrals

the options are under referrals tab

Cache Duration (in seconds)

Ordering Method:

clients fail back to prefferred targets

and under advanced tag

optimize for polling or scalability?

Thanks


IPv6 causes issues in some environments when enabled on domain controllers

August 7, 2013, 7:34 am
$
0
0

Maybe the heading sounds quite controversial and will no doubt prompt some mixed views.  There are a lot of people out there who have reported issues which appear linked to IPv6 configurations on domain controllers. 

From what I have seen there are a lot of people that point to the Microsoft recommendations not to disable IPv6 but they fail to explain under what certain circumstances IPv6 configured on DC interfaces can cause issues. 

Looking for some good discussion !


Search

Client authentication and IPv6 ?

August 7, 2013, 7:44 am
$
0
0
If a client's interface is configured for both IPv4 and IPv6 but the entire WAN is not enabled for IPv6 how does this impact the client's DC locator process and ultimately authentication ?

Directory Permissions - Nested Group

August 6, 2013, 2:36 am
$
0
0

Hi,

I have an AD group lets call it group1 which is a Security Group - Universal within it is another security group - universal (group2),

I have set permissions on a folder to group1, but all those in group2 have no access.

If I add a user directly to group1 it works. it appears nested groups

Any ideas? I would have thought nested groups would work?

Phil

Cross Forest DC Locator

August 7, 2013, 2:00 pm
$
0
0

We have two forests with a two way trust. Users in forest A are logging into a terminal server in forest B. There is a domain controller in forest A that resides on the same subnet as the terminal server in forest B. Users are getting logged onto random domain controllers in forest A. The two domain controller/DNS servers in forest B have secondary DNS zones with the appropriate SRV records for forest A.

I followed this blog:

http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx

The site/subnet match in both domains. nltest /dsgetsite confirms the server is using the correct site name.

Site specific SRV records are correct.

Using wireshark, I captured DNS traffic. The first query is just like the one from the blog, using the computer's site, and the user's domain. The DNS server returns the service record for the correct domain controller.

The server then sends another DNS query for the domain specific (query without site info) for the _ldap SRV records in domain A. The DNS server responds with a full list of domain controllers for domain A.

Now, some further troubleshooting. In the same wireshark capture, I see some communication between the terminal server (again, in domain B) and the domain controller in domain A. This communication is only a 2 packet exchange. One CLDAP search request, and the response.

The search request has 3 filters.

Filter 1: DNSDomain=[domain A to which the user belongs]

Filter 2: Host=[terminal server which resides on domain B]

Filter 3: NtVer=0x200000016

The domain controller (again, DC in domain A), responds with:

searchResDone

resultCode: success

MatchedDN: [empty]

errorMessage: [empty]

Hopefully that all makes sense.

Thanks.

Synchronizing Forests Without Using Trusts

August 6, 2013, 6:13 am
$
0
0

Hi,

My company has multiple Active Directory (AD) forests for security reasons. We can't have trust relationships between the forests for the same reasons that caused us to divide our AD infrastructure into different forests. However, our employees still need to access each other resources? File server.

How do i enable this?

AS

Required ports for AD to replicate

August 6, 2013, 4:23 am
$
0
0

hi there!

We have 2008 r2 domain controllers with domain and functional level 2008 r2.

We would like to install another DC in other location (locations are connected with site to site vpn).

I am familiar with this info: http://support.microsoft.com/kb/179442#method3, and http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx but my question is in which direction must this ports be opened to/from other location? In both? From DC1 (in primary location) to DC2 (in secondary location), or from DC2 to DC1? Just one way or both directions? Who is the iniciator in the replication?

Does our network guys need to open this in both direction or in 1-way direction only?:

Client Port(s)Server PortService
49152 -65535/UDP123/UDPW32Time
49152 -65535/TCP135/TCPRPC Endpoint Mapper
49152 -65535/TCP464/TCP/UDPKerberos password change
49152 -65535/TCP49152-65535/TCPRPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP389/TCP/UDPLDAP
49152 -65535/TCP636/TCPLDAP SSL
49152 -65535/TCP3268/TCPLDAP GC
49152 -65535/TCP3269/TCPLDAP GC SSL
53, 49152 -65535/TCP/UDP53/TCP/UDPDNS
49152 -65535/TCP49152 -65535/TCPFRS RPC (*)
49152 -65535/TCP/UDP88/TCP/UDPKerberos
49152 -65535/TCP/UDP445/TCPSMB
49152 -65535/TCP49152-65535/TCPDFSR RPC (*)

what does client ports stands for? In this case who's the client and who's the server?

with best regards,

bostjanc


Viewing all 31638 articles
Browse latest View live
Search