is it possible to temporarily raise an user account privileges - with a specified time set
so make a user a backup operator for a week -- and presumably this could be audited
also I suppose this would be achived using RBAC in Windows 2012
cheers
james
I need to merge 20 subsidiaries into the current AD domains. Each of the subsidiary have their own DC.
I know I need to setup 2 way intrinsic trust before I migrate. I am assuming most are on Windows 2003.
Would it be better to migrate with security history or to use security translation option in this scenario?
and i also checked domain replication with no error , according to below
My case is similar to this one at the post http://social.technet.microsoft.com/Forums/windowsserver/en-US/e125a377-503c-4822-8aef-b04505df2a42/to-create-a-child-domain-unders-the-domain-tree
i have a root forest named: farroot.com
and created a tree in the forest named: fartree.com
all domain controllers are DNS servers for its own domain.
and then i wanna create a new domain under fartree.com
but always fail.
i don't know what should i enter during the process. i tried all the combination , but all failed
i also tried the above-mentioned post and set the to-be-promoted server 's DNS to root DNS only to no use.
( i also ever tried the DNS of fartree.com )
0. at the initial pages, i used alternate credential of farroot\administrator
1. first step: type the name of any domain in the forest where you plan to install this domain controller
I entered fartree.com
2. second step: FQDN of the parent domain:/Single-label DNS name of the child domain:
I entered fartree.com / Branch
during the wizard is configuring process, it failed with several kinds of error message.
the likely one is "could not find the domain controller for this domain"
however ,i tried the network connection to all servers were OK.
I;m Charles Lee.
We use currently win2003 Root CA and this server also Domain Controller.
We will plan to migrate Root CA to win2008 in the future.
Does Root CA shoud be member server ?
Dear all,
is there any way to disable "constraint check" for Active Directory custom DN attributes?
We have an Active Directory for the "xxx.yyy.zz" domain, and we have extended the AD schema with some DN custom attributes.
We want to fill these DN custom attributes with the value "yyy.zz", but we get an error such as "constraint violation" or "the name reference is invalid".
Any help would be appreciated.
Kind Regards,
Panagiotis
Let me give background on my environment
Small Business Server 2003 Standard & Windows 2008 Standard Terminal Server (no workstations) When users attempt to logon to the terminal server they get "Access Denied" right before they get to a desktop. If a user is part of the domain admin's they can login with no issues (this is how I discovered this issue, I was cleaning out the domain admin's group) I also get issues when trying to run anRSOP.msc from this machine & gpupdate /force as well. I tried adding a Windows 2008R2 machine to the domain and ran into the same issues when running the above commands.
This environment seems to be an upgrade from Server 2000 from what I can tell. I recently raised the domain/forest function levels to 2003.
I turned on Kerberos logging & enabled debugging. In my research it is possible this is a SPN issue, but I cannot view the SPN's attached to my LocalSystem account (Terminal Serv Licensing runs under this context) as this error is returned each time I check: FindDomainForAccount: DsGetDcNameWithAccountW failed!
I tried the following commands all with the result above:
Now to my error logs, here are a couple entries from the SBS box event log:
Client Time:
Server Time: 18:15:0.0000 8/29/2013 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: GU.LOCAL
Server Name: TermServLicensing
Target Name: TermServLicensing@GU.LOCAL
Error Text:
File: 9
Line: b22
Error Data is in record data.
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 18:15:0.0000 8/29/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: GU.LOCAL
Server Name: host/gu-sbs1.gu.local
Target Name: host/gu-sbs1.gu.local@GU.LOCAL
Error Text:
File: 9
Line: b22
Error Data is in record data.
Here is some of the Kerberos debug log file:
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x252ac6f, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536aa9, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536c71, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536d36, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536d57, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536d96, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536db7, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536dee, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2536e24, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2539dca, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253ae5b, accepting 0:0x3e7
416.6988> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.6988> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253dba3, accepting 0:0x3e7
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.516> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.516> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253e126, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x253e13c, accepting 0:0x3e7
416.596> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.596> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2540d9a, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2548944, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x254ef74, accepting 0:0x3e7
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.1144> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1144> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2552bb2, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2552c0a, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2552c69, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x255628d, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x255b944, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2560d3d, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.408> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25674b5, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x256d68c, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25748c0, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x2579c99, accepting 0:0x3e7, client GU-SBS1$@GU.LOCAL
416.7292> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
416.7292> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
416.7292> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc00000bb)
416.7292> Kerb-Warn: Failed S4Uproxy request c00000bb(4)
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2579da8, accepting 0:0x3e7
416.1052> Kerb-Error: Failed to create token: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 2461
416.1052> Kerb-Error: Failed to create token from ticket: 0xc000006e. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3778
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x257fef7, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2583a27, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2585499, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2586667, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25866bc, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x258671b, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x258c183, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2591dcb, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2597bf9, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x259cfa0, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a04c7, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a3279, accepting 0:0x3e7
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a4281, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a6c5b, accepting 0:0x3e7
416.1148> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25a6fa7, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25abc77, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25abcc7, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25aed24, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25b430e, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25b45fb, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25b9b5a, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bdeb3, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bdf11, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bdf7c, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25bf9da, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c148e, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c185a, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c18f8, accepting 0:0x3e7
416.596> Kerb-Warn: KerbGetTgtForService getting new TGT for account
416.596> Kerb-LSess: KerbFindCommonPaEtype using current password of administrator@GU.LOCAL
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25c6957, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25cc78e, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25d18ca, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25d7814, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25dcb8c, accepting 0:0x3e7
416.508> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25e1f6f, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25e7e04, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ed805, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ef286, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ef2fc, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25ef35b, accepting 0:0x3e7
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25f3093, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25f83ee, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x25fe33c, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.408> Kerb-LSess: KerbFindCommonPaEtype using current password of morgan.perkins@GU
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2602180, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.408> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7296> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.504> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.508> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7264> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x26025a8, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2603b97, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2609007, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x260b9d0, accepting 0:0x3e7
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x260f6f8, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x2613373, accepting 0:0x3e7, client GU-SBS1$@GU.LOCAL
416.8768> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
416.8768> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
416.8768> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc00000bb)
416.8768> Kerb-Warn: Failed S4Uproxy request c00000bb(4)
416.508> Kerb-Warn: KerbReplacePasswords replacing old keys
416.508> Kerb-LSess: KerbFindCommonPaEtype using current password of GU-SBS1$@GU.LOCAL
416.508> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
416.508> Kerb-Warn: KerbGetTgsTicket KerbCallKdc: error 0x7
416.508> Kerb-Warn: Failed to get TGS ticket for service 0xc000018b :
TermServLicensing
416.508> Kerb-Warn: d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 3899
416.508> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicket failed with 0xc000018b
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2614eb3, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261a33e, accepting 0:0x3e7
416.516> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261ec25, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261ed0d, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261ed62, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x261edc1, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2620148, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2625d68, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x262b0db, accepting 0:0x3e7
416.408> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263031e, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263671a, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263bb8c, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263d9da, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263e8fe, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x263e94d, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x26411f6, accepting 0:0x3e7
416.7304> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x26464c1, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264c661, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264f440, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264f495, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x264f4f4, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2651e39, accepting 0:0x3e7
416.6988> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2654aaa, accepting 0:0x3e7
416.1052> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2654ecd, accepting 0:0x3e7
416.1144> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2654f16, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2657979, accepting 0:0x3e7
416.504> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x265d84a, accepting 0:0x3e7
416.7296> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2662f54, accepting 0:0x3e7
416.7072> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x2669279, accepting 0:0x3e7
416.504> Kerb-LSess: KerbFindCommonPaEtype using current password of IUSR_GU-SBS1@GU
416.7264> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0x266fbe2, accepting 0:0x3e7
Hi,
I was hoping someone could clarify the algorithms used in Windows 2003 (and 2008 / 2012 if known) to correct time skews. The best I can find relates to Windows 2000:
When the local clock offset has been determined, the following algorithm is used to adjust the time:
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc
Thanks
David
I have installed a domain controller in Local Area Network with using private IP address 192.168.0.50. This domain controller is being used to provide DHCP and some computers are member of the same domain controller. Now I also want to install Exchange server on the same domain controller. For this I have Purchased a Domain controller form a registrar and Public IP from ISP. As you know that exchange server needs public IP address to excess the exchange server from the internet. Kindly tell me who can I access the domain controller and mail from locally or worldwide. I think I need both public and private IP but do not know how to use both simultaneously.
Thanks in advance.
We have a Server 2008 R2 active directory domain, 2008 R2 functional level for domain and forest, 3 DCs, Exchange 2010 server, multiple SQL 2008 servers, Blackberry Enterprise Server, 4 DFS servers, about 2 dozen member servers, and ~400
users spread around a dozen geographic locations. Single domain, which is also the forest root.
The business was re-named and the IT department has been tasked with renaming the domain and everything therein.
Based on your collective experience, is it better to go through the effort of re-naming the current domain, or should we start over with a new forest, new domain, and migrate from old forest to new.
We don't want to create a new domain in the same forest, since the exsiting domain name (the forest root) will no longer be used and we don't want to maintain domain controllers ONLY to prop up that old root/domain.
Opinions, suggestions, pitfalls, tales from the trenches-- all welcome.
I plan to setup AD on DR site. Nobody use DR AD in normal situation. It run for receiving change that happen in production. I am looking for a solution to prevent the accident in case, we do DR rehearsal and change on AD may replication to production server.
IS RODC good for DR? If, it has to switch DR to production, can RODC turn to be DC?
Regards,
Chaba
___________________________________________________ Naruphon blog: http://www.vm360degree.com
Hi,
I am trying to set up trust between two domains on different forests. While creating stub zone on DOMAIN2 I receive "timeout error" whenever the master DNS of DOMAIN1 is being validated. The same is true if I create forwarder for DOMAIN1 on DOMAIN2.
Creating stub zone on DOMAIN1 for DOMAIN2 is successful. no validation errors
DC's on both domains can ping each other. I can tracert from DOMAIN1 DC to DOMAIN2 DC and vice versa through the correct gateway. All firewall ports are set to allow trust including port 53 tcp and udp. I already have a trust with another domain on 3rd forest set up across the same firewall.
IPv6 is not enabled on the problem DC (Windows 2008)
Thanks in advance
Hi,
I have some external laptop users that they are join to domain. They have access to some licensed-software in our network and they authenticated by PKI infrastructure.
Now I'm worry if someone can clone one of this laptop to another exact same model laptop and use our licensed-software too. It means two computers that they are completely same have access to our domain and our resources.
My question is that is it possible to do something or there is a restriction on that?!
Thanks,
Bob
Hi All
While researching using Server Manager in 2012 to remotely manage other servers I came across these two Domain Local Security Groups
I have read their descriptions which seem identical.
Can anyone enlighten me as to their difference?
TIA
Simon
i found the system 's help document was not detailed enough.
and i searched the forum, found some titled AD DS to AD LDS, but those did not help.
so i ask your help here.
i can configure the sync from AD DS to an AD LDS instance in the domain.
but now i wanna sync AD DS to an non-domain ( workgroup ) server's AD LDS.
can you tell me how?
thank you.!
I;m Charles Lee.
Hello,
I have a problem with the replication between 2 DC's.
The directory services cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
When I check with Active Directory Sites and Services I see the following :
SERVER 1
USN's :
Current : 16548
Original : 16454
SERVER 2
USN's :
Current : 12449
Original : 5835
The last successful sync :
SERVER 1 : 27/08/2013
SERVER 2 : 14/07/2013
I suppose this happened with a power outage and the server started with a wrong time.
What's the best method to fix this issue?
Regards,
Tim Van Engeland
Hi
We have a below scenario and facing problem with Trust relationship, pls help.
1) Forest Name is maheshgroup.com (name changed)
2) On of the domain name is maheshstore(FQDN-store.maheshgroup.com)
3) As part of restructuring, now maheshstore domain needs to be taken out.
4) Installed new Single Forest and Single Domain with the domain name as maheshstore.in as FQDN and MHST as NETBIOS name.
5) While configuring the trsust relationship it was initially configured as one way trust.
6) Understand that two way trust is required for cross forest migration using ADMT, hence deleted the one way trust configured.
7) Now when we try to create two way trust, getting error as " The Operation failed. The error is :The specified account already exist. "
8) We checked all the details and there is no such conflict found. Even we deleted the domainname$$$ group created during earlier trust.
9) Checked nltest /domain_trust also, couldnt find any trusted domain info.
Pls help how can we resolve this issue.
Regards:Mahesh
Hi Support Community,
we deployed an RODC within an perimeter already and its working fine. In my understanding the RODC forwards all authentication to the internal RW-DC if the passwort is not cached by the PRP (Allowed RODC Group).
Is there a way to prevent the pass through for a subset of defined users/computers i dont want to be authenticated at the perimeters rodc from the perimeters AD-site? As on option is it possible to archive this goal by modify the LDAP access to this user/computer accounts and remove the read access for anyone?
Ty.
Hi,
I keep getting the below event logged when a DC's Dns services are restarted.
The DNS server was unable to create a resource record for 899494f1-fac0-4405-8bf4-d3d2326d0449._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.
The server was demoted and promoted and the server received a new GUID but the server is still trying to register the 899494f1-fac0-4405-8bf4-d3d2326d0449._msdcs.domain.local entry. The entry does not exist in the domain.
I used the below article before we demoted the server and it however did not resolve the problem:
http://technet.microsoft.com/en-us/library/cc735667(v=ws.10).aspx
Does anyone have any ideas?
Thanks
Don
Kind Regards Don
ok I took over a schools IT, and 2 weeks into the job, one of their servers goes down hard drive issue, lsass.exe error, the ntds.dit is corrupt. so i tried to fix the database, no joy, try compacting it no job, tried deleting the logs no joy. so I demoted with dcpromo. upon restart, I recreated the domain with the same name. that when ok, when I logged back in I had lost connection to the first server, same domain name, however this one that wehn down was the global catalogue. I have tried everything I can think of and cannot recreate the link between the 2, everything I try and replicate, I get rpc error.
Any Ideas?