Hi people!
I'm new to thecompanyand I'mrunning awindows 2008domain.I realized thatexists the accountntauthority \authenticated usersinto
the Administrators group.This isby default?realized that common accounts(ie, domainusers only) do not havetheadministrator privileges on domaincomputers.What are the impactson the netif I remove theauthenticated usersof the Administrators group?
Thank youeveryone!
Getting "to install a domain controller into this active directory forest you must first prepare the forest" even after executing ADprep on my domain controller.
My Domain Controller : windows server 2008
Planning to install Additional Domain controller on Windows server 2008 R2
Is it possible that a Domain Controller to Authenticate a username and password against two different domains without being given the domain? I am having a 3rd party company provide an application that authenticates against my Controller. I would hope to have the Controller check both domains for the user being authenticated for.
My Controller has a trust relationship with another AD Domain Controller. And those users need access through the 3rd party application.
Thanks
Joe Young
Hey all, this one has me pulling my hair out. Hopefully you can help.
I am trying to test a particular piece of software and how it behaves when the user logging in has an expired password. The problem is that I seem to be unable to expire a password "on-demand". I am running a domain at Windows 2003 functional level with a mix of 2003 and 2008 DCs (all of the required prepping has been done).
I know that I can set an expiration date for the account, and that is not what I want. I also know that you can change (either programmatically or via ADSIEdit) the value of "pwdLastSet" to 0, and that will force the user to change the password. However, this is technically not the same thing as having an expired password, it's more akin to ticking the box labeled "User must change password on next logon". I have observed that ticking that box does in fact set "pwdLastSet" to 0.
So I've done some further digging and it appears that you can set "userAccountControl" flags on the AD object. The account that I am testing with presently has a "userAccountControl" value of 0x200 (512 in decimal), and the ADUC Attribute Editor parses that as NORMAL_ACCOUNT. The flag for EXPIRED_PASSWORD is 0x800000 (decimal 8388608). So basically I should be able to do the typical bitmask math, adding the currently set flags (512) to the desire flag (8388608) to get the new value of 8389120. So I edit "userAccountControl", key in 8389120, click OK, click Apply. Then when I look at the "userAccountControl" property is see a new hex value of 0x800200 and that it is parsed out as NORMAL_ACCOUNT | PASSWORD_EXPIRED.
Fantasic! Everything works as intended, right? Wrong. Because as soon as I hit OK to close the account's properties tab and go to view the account, I see that"userAccountControl" has reverted to 0x200 (decimal 512), i.e., the PASSWORD_EXPIRED flag has been cleared somehow. I also verified that having the PASSWORD_EXPIRED flag doesn't reset the "pwdLastSet" field either. So what is going on here? Is there another attribute that I need to flip? Why does this keep reverting on me?
I have tested setting some of the other flags (DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH, etc) and none of them revert automatically, so I know that the attribute is writable and that my account has permissions to set the flags.
Let me give background on my environment
Small Business Server 2003 Standard & Windows 2008 Standard Terminal Server (no workstations) When users attempt to logon to the terminal server they get "Access Denied" right before they get to a desktop. If a user is part of the domain admin's they can login with no issues (this is how I discovered this issue, I was cleaning out the domain admin's group) I also get issues when trying to run anRSOP.msc from this machine & gpupdate /force as well. I tried adding a Windows 2008R2 machine to the domain and ran into the same issues when running the above commands.
This environment seems to be an upgrade from Server 2000 from what I can tell. I recently raised the domain/forest function levels to 2003.
I turned on Kerberos logging & enabled debugging. In my research it is possible this is a SPN issue, but I cannot view the SPN's attached to my LocalSystem account (Terminal Serv Licensing runs under this context) as this error is returned each time I check: FindDomainForAccount: DsGetDcNameWithAccountW failed!
I tried the following commands all with the result above:
Now to my error logs, here are a couple entries from the SBS box event log:
Client Time:
Server Time: 18:15:0.0000 8/29/2013 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: GU.LOCAL
Server Name: TermServLicensing
Target Name: TermServLicensing@GU.LOCAL
Error Text:
File: 9
Line: b22
Error Data is in record data.
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 18:15:0.0000 8/29/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: GU.LOCAL
Server Name: host/gu-sbs1.gu.local
Target Name: host/gu-sbs1.gu.local@GU.LOCAL
Error Text:
File: 9
Line: b22
Error Data is in record data.
Here is some of the Kerberos debug log file:
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x252ac6f, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536aa9, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536c71, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536d36, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536d57, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536d96, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536db7, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536dee, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536e24, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2539dca, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253ae5b, accepting 0:0x3e7
416.6988> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.6988> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253dba3, accepting 0:0x3e7
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253e126, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253e13c, accepting 0:0x3e7
416.596> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.596> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2540d9a, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2548944, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x254ef74, accepting 0:0x3e7
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2552bb2, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2552c0a, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2552c69, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x255628d, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x255b944, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2560d3d, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.408> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25674b5, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x256d68c, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25748c0, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x2579c99, accepting 0:0x3e7, client GU-SBS1$@GU.LOCAL
416.7292> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
416.7292> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
416.7292> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc00000bb)
416.7292> Kerb-Warn: Failed S4Uproxy request c00000bb(4)
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2579da8, accepting 0:0x3e7
416.1052> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1052> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x257fef7, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2583a27, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2585499, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2586667, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25866bc, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x258671b, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x258c183, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2591dcb, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2597bf9, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x259cfa0, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a04c7, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a3279, accepting 0:0x3e7
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a4281, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a6c5b, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a6fa7, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25abc77, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25abcc7, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25aed24, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25b430e, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25b45fb, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25b9b5a, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bdeb3, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bdf11, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bdf7c, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bf9da, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c148e, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c185a, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c18f8, accepting 0:0x3e7
416.596> Kerb-Warn: KerbGetTgtForService getting new TGT for account
416.596> Kerb-LSess: KerbFindCommonPaEtype using current password of administrator@GU.LOCAL
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c6957, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25cc78e, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25d18ca, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25d7814, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25dcb8c, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25e1f6f, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25e7e04, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ed805, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ef286, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ef2fc, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ef35b, accepting 0:0x3e7
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25f3093, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25f83ee, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25fe33c, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.408> Kerb-LSess: KerbFindCommonPaEtype using current password of morgan.perkins@GU
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2602180, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.408> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7296> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.504> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.508> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7264> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x26025a8, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2603b97, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2609007, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x260b9d0, accepting 0:0x3e7
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x260f6f8, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x2613373, accepting 0:0x3e7, client GU-SBS1$@GU.LOCAL
416.8768> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
416.8768> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
416.8768> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc00000bb)
416.8768> Kerb-Warn: Failed S4Uproxy request c00000bb(4)
416.508> Kerb-Warn: KerbReplacePasswords replacing old keys
416.508> Kerb-LSess: KerbFindCommonPaEtype using current password of GU-SBS1$@GU.LOCAL
416.508> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
416.508> Kerb-Warn: KerbGetTgsTicket KerbCallKdc: error 0x7
416.508> Kerb-Warn: Failed to get TGS ticket for service 0xc000018b :
TermServLicensing
416.508> Kerb-Warn: d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 3899
416.508> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicket failed with 0xc000018b
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2614eb3, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261a33e, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261ec25, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261ed0d, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261ed62, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261edc1, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2620148, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2625d68, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x262b0db, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263031e, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263671a, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263bb8c, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263d9da, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263e8fe, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263e94d, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x26411f6, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x26464c1, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264c661, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264f440, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264f495, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264f4f4, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2651e39, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2654aaa, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2654ecd, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2654f16, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2657979, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x265d84a, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2662f54, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2669279, accepting 0:0x3e7
416.504> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x266fbe2, accepting 0:0x3e7
Hello, I am trying to setup WIA for the internal users. When currently going to the login we just get the forms authentication. How do we get it to pass through the currently logged in user without having to fill in user name and password?
Server 2012 ADFS 2.1. Internal users are pointed to the internal ADFS server and not the Federation proxy.
I have tried editing the web.conf and placing the <add name="Integrated" page="auth/integrated/" befreo the forms authentication but doesnt appear to make a difference. Have not been able to find any specific information on setup of WIA. Thanks.
I Enabled Recycle Bin Feature for My Forest everything went smoothly
Then i deleted some account to test the feature however when i trying to check the Deleted account its not giving any output neither any account is getting restore
Hi,
I do have an Environment of domain controller on Server 2008 R2 SP1, with the Forest functional Level and Domain Functional Level for Windows Server 2003. In this environment I do have 3 Domain Controllers, two on site A and one on Site B. Replication between all the domain controllers are healthy and happens on every 15 minutes. One of the Domain Controller on Site A holds 5 FSMO of Domain.
Everything on my domain controller is running fine for till now, but I am having some issues with the Domain Machines. My domain Machines are getting deleted as well some time getting disabled automatically. and it generates the event id of 5723. The deleted
machines are of Windows 7 SP1 and Windows XP SP3.
Error occurs on Event ID like this.
---------------------------------------------------------------------------------------------------------------------------------------------------------
The session setup from computer 'HOSTNAME' failed because the security database does not contain a trust account 'HOSTNAME$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'HOSTNAME$' is a legitimate machine account
for the computer 'HOSTNAME' then 'HOSTNAME' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise,
the following steps may be taken to resolve this problem:
If 'HOSTNAME$' is a legitimate machine account for the computer 'HOSTNAME', then 'HOSTNAME' should be rejoined to the domain.
If 'HOSTNAME$' is a legitimate interdomain trust account, then the trust should be recreated.
Otherwise, assuming that 'HOSTNAME$' is not a legitimate account, the following action should be taken on 'HOSTNAME':
If 'HOSTNAME' is a Domain Controller, then the trust associated with 'HOSTNAME$' should be deleted.
If 'HOSTNAME' is not a Domain Controller, it should be disjoined from the domain.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hoping to get support on this regard :).
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
Hi!
i can transfer all roles except Schema Master (Windows Server 2008 R2), see the error below.
Whats the issue
I am using System.DirectoryServices.AccountManagement apis to create a new user/disable an account in Active Directory. When i am trying to create a new user, and set its password, m/c throws an exception with the message The RPC server is unavailable. (Exception from HRESULT: 0x800706BA). The following snippet is used to create and persist the user.
UserPrincipal user = new UserPrincipal(ctx);
user.GivenName = "Andrew";
user.Surname = "Green";
user.EmailAddress = "agreeen@gmail.com";
user.SamAccountName = "agreen";
user.Save();
user.SetPassword("Pqw^&12");
user.Save();When i execute this, the code throws an exception as soon as it tries to set a password. After a little search on the net, I tried out the following things.
Since acct agreen gets created without password, there is no privilege or connection issue. I added Windows Management Instrumentation(WMI) as exception to the windows firewall on my AD machine I ensured that the following services RPC Endpoint Mapper, Remote Procedure Call, Remote Registry are running on the AD machine. Ensured that the account, that is used to connect to AD machine, has Enable remote Controlchecked I verified that port 135 is not blocked on AD machine The setup that i have is, I have box b1 running Microsoft Windows 7 Professional, which is trying to connect to a box b2, running Microsoft Windows Server 2008 R2 enterprise. The c# code is running on .Net4.5 framework on b1, and trying to create account on b2.
When i tried running the code from the same box(i.e. box with AD), I was able to successfully create the account with password, when i specified the ip address as localhost, but when i specified it as m/c ip address, it failed with the same exception
Please let me know what i am doing wrong.
Thanks
Hi
I want get active directory user password to plaint text or give it to some script using password filter dll.
If any one implement acctync tool. Please tell me the setup how to enable this tool.
As per instruction given in acctsync installation.
(a) Copy "passwdhk.dll" to C:\Windows\system32
(b) Edit the "HKLM->SYSTEM->CurrentControlSet->Control->Lsa->Notification Packages" registry value and add "passwdhk" (without the quotes) to the list of names there (on a new line).
(c) Edit the file "passwdhk.reg" to suit your environment and then import it into the registry by double-clicking that file or use passwdhk_config.exe to configure settings.
(d) Set "Domain Security Policy\Windows Settings\Security Settings\Account Policies\Password Policy\Passwords must meet complexity requirements" to enabled to enable both complexity checking and the password filter.
(e) Reboot.
Please tell me any other to get active directory user password in plaint text format.
Regards,
Nilesh Bhanage
Customer has small AD, one DC. It’s a W2003 R2 x64 OS. AD is functional level Windows 2003.
They have made some changes to the AD schema for application reasons – 8 new attributes in there.
They want to look at upgrade to get off 2003. Rather not in-place upgrade, so I propose:
- -Leave 2003 DC in place
- -Introduce 2008 R2 (or even 2012?) server
- -Promote new server to be the DC, seize roles etc.
- - Retain/retire 2003 DC
I think as soon as a later version DC is brought in, it changes Schema version forest-wide. But what about schema content? Would they lose their Schema changes? How to avoid? Or can we just re-add them in (they are scripted)
Have to test of course, but in theory do changes like above ‘reset’ the AD schema? Or are the 'old' contents replicated to the new DC?
Many thanks
padraigd
I don't want to use the default port 389. Please tell to how to configure it. Also How to enablessl.
Thanks.
Adamsync is working BUT...when I sync an OU everything processes normally until...it moves to "renaming target object" entries which is fine, but after about a hundred lines of that it craps out with the "unable to allocate additional memory" error below.
Objects are populating, and successfully (user to userproxy transform works, can authenticate using them etc) but just doing our security groups needed 29 runs to parse through all the objects and give me a successful completion.
I'm not finding ANY other indication of problems, I have no idea what sort of memory issue this could be! I normally can get a point in the right direction from searching newsgroups and technet from error codes, but I've got nothing on this one.
This snippet is from one of the security group OU (via specifying specific base-dn) runs...it's preceded by 99% of the log filled with 'processing source' entries, then cuts to renaming target objects which is fine...if it would continue. Tonight I've run 40 times trying to sync a large user OU, HELP PLEASE!
Hi there,
Can I get some advise where is the Best Place, or what is the Best practice to Install the AD LDS..?
Should it be Inside a firewall, or Outside the firewall in the DMZ?
Our train of thought is place the AD LDS in the DMZ for External customers
Our application Web portal will reside in DMZ, along with our AD LDS instance for our External customers, thus separating our internal Active Directory users inside the firewall....so where should we depoly AD LDS.
Any help appreciated...
Paul
I'm currently trying to recover a virtualized domain controller in our offsite test DR lab. There is no connectivity to our production environment for that location - essentially a cold site. Currently in production, we have a physical and VM domain controller in one location and another physical DC at an offsite facility (all 2008 R2). They do have DNS.
First off, my goal is not to be testing the validity and functionality for production use of the VM DC (as we could tunnel in and replicate in a true DR), but just have a way to do some simple tests in our lab with an isolated DC that I can get up and running quickly with current data.
The issues I'm running into is after I do the restore of the DC VM, I am unable to do any authentication aside from the domain administrator account. The network connectivity is non existant - IP is correct, DNS to itself. However, after ~30 min, services are up and running, everything is perfectly fine ... fine in the sense of what state I need it to be in to do my testing (I'm aware there are lots of replication errors which might be the root of the problem). What I find though is that when I reboot, I'm back into the same waiting game to be up and running and log in. While this is just a test on my part, it got me curious on how to get this up in a 'better state' moving forward.
This article almost seems to be exactly what I'm experiencing, but following steps did not solve my issue -http://support.microsoft.com/kb/2001093/en-us
I've also followed the system state and non-system state recovery methods -
And I've seized the roles on the isolated DC VM and no success either.
Again, this isn't a mission critical recovery - but the failures got me scratching my head. I'm far from an AD expert. What else can I try to get this DC up smoothly? Am I missing a step?
Hi,
I'm trying to add an RODC to our domain. The server is 2008 R2. I just did a clean install and installed all windows updates.
The other two writeable DCs are 2008 R2 and 2003. The 2008 R2 server I just added a few weeks ago and works perfectly.
After running dcpromo I ran net share and I can see the sysvol and netlogon folders have not been shared out.
When I run DCDIAG I can see the following error message:
I can see fa616ded-3ba9-453d-9d49-a22ae85bbf70._msdcs.sub.mydomain.com in the DNS and it has the correct CNAME
Hi,
I have a Windows Server 2008 R2 running as domain controller with functional level "Windows Server 2003". The DC is running on VMware ESXi and we are migrating to Hyper-V. What approach would you recommend for moving the DC from VMware to Hyper-V?
1. Use Disk2VHD on the DC ruinning on VMware and then create a new VM on Hyper-V and add the disk created by Disk2VHD.
2. Create a new VM on Hyper-V and promote this to a DC. Move FSMO role to new DC. Retire old DC.
3. Other?
Thanks,
Rune