Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Dcdiag test failed on VerifyEnterpriseReferences

November 16, 2008, 9:16 am
$
0
0
I just upgrade 2003 Active Directory to 2008 version.
My 2008 Active Directory environment is just a single domain controller
Every thing seems to be fine.
After I execute dcdiag testing.
There is a failed test on VerifyEnterpriseReferences.
Follow is the error description :

[1] Problem: Missing Expected Value
Base Object: CN=AD2008,OU=Domain Controllers,DC=abc,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: Please See Knowledge Base Article Q312862
LDAP Error 0x20 (32) - No Such Object
....................... ......AD2008 failed test VerifyEnterpriseReferences


Does any one know what this problem is and how to solve ?

Thanks!!
 



Search

Connecting back to offline domain....

September 9, 2013, 11:54 am
$
0
0

Ok.. I have next situation.

I have a workstation which was connected to Domain (AD), but domain is offline.. physically. And that Domain won't able to boot, because of hard drive errors.

I was need to install printer on that workstation, and that printer is on different network. So I disconnected from old AD (which is offline), and joined current different AD (2 different businesses). Now I need to "connect" back that workstation to old OFFLINE AD.. which one doesn't even connected physically.. and won't boot.

I have no idea what local password for local user account which I was using to connect to old Domain.

I understand it's no way to connect to something what doesn't exists... but is anyway to get that cache usr/psw back to old state?

Any suggestions?

Thanks!

FRS on BDC not recieveing replication from PDC

September 9, 2013, 1:27 pm
$
0
0

Hi every one! I have been trying to trouble shoot my FRS for the past month and a half now, up to this point their is no success

can anyone help me resolve this problem? I have on my network two server (2003), one PDC and a BDC, the event viewer log on the pdc show these messages:

 

The File Replication Service is no longer preventing the computer xxxx_xxx from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. 

Type "net share" to check for the SYSVOL share

 HOWEVER THE BDC IS SHOWING THESE MESSAGES:

DNS WARNING MESSAGES:

    

The DNS server encountered a packet addressed to itself on IP address 192.168.0.1. The packet is for the DNS name "z.arin.net.". The packet will be discarded. This condition usually indicates a configuration error. 

Check the following areas for possible self-send configuration errors: 
  1) Forwarders list. (DNS servers should not forward to themselves). 
  2) Master lists of secondary zones. 
  3) Notify lists of primary zones. 
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server. 
  5) Root hints. 

Example of self-delegation: 
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. 
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com, 
  (bar.example.microsoft.com NS dns1.example.microsoft.com) 
  -> BUT the bar.example.microsoft.com zone is NOT on this server. 

Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record. 

FRS LOG ON THE BDC DNS LOG IS ALSO FROM BDC:

  

The File Replication Service is having trouble enabling replication from XXX_XXXA to XXXXSERVERB for c:\windows\sysvol\domain using the DNS name XX

X_XXX.XXX.XXX. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 

 [1] FRS can not correctly resolve the DNS name XXX_XXX.XXX.XXX from this computer. 
 [2] FRS is not running on XXX_XXX.XXX.XXX. 
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. 

 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Please someone i need your help on this, am very new to win 2003 server my knowledge is basic. (please make the solution instructive for me thanks) from gilliep

DS Access Logging - Event 4662

September 9, 2013, 7:03 am
$
0
0

I work in a large hospital environment, and I'm fine tuning the logging to put into splunk - and everything is working quite well EXCEPT DS access logging.  Before I enabled it - I removed all entries from the domain object's audit ACL tab (because I didn't want to flood the sec logs).  I ensured that the change was pushed down to each child/subtree object, as well, so that no domain object has anything defined in its audit tab.

Upon enabling DS access auditing, my four exchange servers are spamming the sec log on the DCs with READ_CONTROL accesses to all user objects tied to mailboxes.

Problem:  The security logs for my three DCs goes up to 11GB a night, and gave me a permanent overage mark on my splunk account, and even with NOBODY defined in the auditing tabs on a single AD Object, I'm still getting these messages.

*note*

I do have "Audit Directory Service objects" applied to the whole domain... maybe I should just restrict this back to DCs?  I really only want to audit AD object changes, not READS.

FRS on BDC not recieveing replication from PDC

September 9, 2013, 1:25 pm
$
0
0

Hi every one! I have been trying trouble shoot my FRS for the past month and a half now, up to this point their is no success

can anyone help me resolve this problem? I have on my network two server (2003), one PDC and a BDC, the event viewer log on the pdc show these messages:

 

The File Replication Service is no longer preventing the computer xxxx_xxx from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. 

Type "net share" to check for the SYSVOL share

 HOWEVER THE BDC IS SHOWING THESE MESSAGES:

DNS WARNING MESSAGES:

    

The DNS server encountered a packet addressed to itself on IP address 192.168.0.1. The packet is for the DNS name "z.arin.net.". The packet will be discarded. This condition usually indicates a configuration error. 

Check the following areas for possible self-send configuration errors: 
  1) Forwarders list. (DNS servers should not forward to themselves). 
  2) Master lists of secondary zones. 
  3) Notify lists of primary zones. 
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server. 
  5) Root hints. 

Example of self-delegation: 
  -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. 
  -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com, 
  (bar.example.microsoft.com NS dns1.example.microsoft.com) 
  -> BUT the bar.example.microsoft.com zone is NOT on this server. 

Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record. 

FRS LOG ON THE BDC DNS LOG IS ALSO FROM BDC:

  

The File Replication Service is having trouble enabling replication from XXX_XXXA to XXXXSERVERB for c:\windows\sysvol\domain using the DNS name XX

X_XXX.XXX.XXX. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 

 [1] FRS can not correctly resolve the DNS name XXX_XXX.XXX.XXX from this computer. 
 [2] FRS is not running on XXX_XXX.XXX.XXX. 
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. 

 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Please someone i need your help on this, am very new to win 2003 server my knowledge is basic. (please make the solution instructive for me thanks) from gilliep

Logon failure error- not able to add workstation in Domain

September 9, 2013, 10:02 pm
$
0
0

Hi,

It seems some Group Policy is restricting and not able to add workstation to Domain. When we are trying to add work station to Domain getting error as " Logon Failure:the user has not been granted the requested logon type at this computer".

I checked all known cases and lon on locally, deny logon and othe ruser rights policy, nothing is able to identify.

Pls help if anyone faced this isse and what exactly to be checked.

Regards:Mahesh

No authentication protocol was available

October 29, 2011, 1:12 pm
$
0
0

Hi all,

I made a one way outgoing trust from my domain to another. Both Windows 2008 server.

When I validate the trust (with MMC), I get a message that the trust is in place.

In the eventviewer I see the following message: “The Security System could not establish a secured connection with the server ldap/SBASRV1.sba.ad/sba.ad@SBA.AD. No authentication protocol was available”

When I check with nltest if a user from the domain I made a trust with can authenticate, nltest gives the following response: Didn’t receive a response from mail message.

Anyone any idea what is wrong or what I’m doing wrong?

Kind regards,

Jurgen

Validated Trust does not work

May 26, 2011, 8:07 am
$
0
0

Hello everyone,

I set up an external one-way trust from a Windows 2008 R2 domain (A) trusting a Windows 2003 domain (B).
Validation works, but if i try to add a B domain user to a A domain group I got prompted for remote credentials (B domain). It should not happen and that membership does not work.

If I verify with netdom i get:

netdom TRUST A.fqdn /D:B.fqdn /verify
The command failed to complete successfully.

Even if I provide UO e UD credentials.
Unluckily there is no detailed error.

The only thing I noticed is a warning event id 40961 source LsaSrv.

The Security System could not establish a secured connection with the server ldap/DC1.B.fqdn/B.fqdn@B.FQDN. No authentication protocol was available.
Same warning is present for DC2.B.fqdn on a test A domain member machine I used to test the group membership above.

I verified network connectivity anyway with PortQuery and even by nltest, but everything is ok.

Additionally I tried to disable SID filtering, but I always receive "access is denied". I did it from both DCs and always with domain admin rights.

I am not responsible for domain B, so I am still not sure that there is no policy that goes against this trust.

What else?

Thank you for your help

 

Andrea

Search

Why is Directory Services not a listed subset of Windows Server?

September 9, 2013, 3:59 pm

LDAPS

September 9, 2013, 3:42 pm
$
0
0

Hello,

 We are going to be using Mimecast, so I need to setup LDAPS on our 2008 R2 Active Directroy. Is there a way to configure LDAPS for only our connection to Mimecast without affecting our workstations, other servers, and any LDAP devicies such as copiers?

Thanks,

Jimmie Padilla

What Windows services should be monitored to make sure AD is ok?

September 9, 2013, 7:44 pm
$
0
0
What Windows services should be monitored to make sure AD is running well?

Server 2003 Standard - Successful Domain Rename but Still think's its the old domain when trying to set a trust!

September 10, 2013, 2:21 am
$
0
0

I inherited 2 separate domains that were both called the same thing! 

I have successfully carried out a domain rename on one of them but when I try and create a trust between the domains I get the error "The new trust wizard cannot continue because the specified domain is the same domain in which the wizard is running" 

If I try and set the trust from the non renamed domain, it tells me it the domain cannot be contacted.

DNS is set for the new domain and the FQDN resolves OK between both domains.

Any thoughts ?

Many thanks

Nick

Certification function for user access Active Directory

September 10, 2013, 10:48 am
$
0
0

Hi,

I'm working for a company which handles a lot of secret data and we're looking to reorganzing the user administration of user rights in Active Directory.

And I'm looks for tips and suggestion how other companies have organized their user administration.

What I'm look for is a kind of certification where one users is asking for a user right and the users boss has to approve that the user shall have that access that the user is asking for.

For an example:

User X would like to have access to Z. 

And when the user X have asked for the access the user X's boss has to certify that the user are garanteed the access.

By having this implemented we see that we can have more control of all our user rights in domain.

I'm intressted of all kind of solutions other companies have done, and maybe get a review of their thoughts for your solution that is/was implemented.

Thanks in advance!

Your sincerly, srenix

Seeing client time drift within domain

August 26, 2013, 8:57 am
$
0
0

I manage a network of 700 POS Win xp machines, located across the state.  These machines are all joined to a domain, with 2 DC's located at my corporate HQ.  

This domain is a child domain of our production, corporate domain.  

I know that by default, client machines sync time with the DC that holds the PDC Emulator role, and I have it set up to do this.

Recently, I have been noticing multiple POS terminals that are seeing some time drift. Some 8, 10, 13 minutes off.  What could be the cause of this?

Thanks in advance!

sb


Can I add user properties to active directory?

September 9, 2013, 4:28 pm
Search

WEB PORTAL TOOL: Updating User Info for AD/Exchange

September 10, 2013, 11:44 am
$
0
0

Looking for recommendations on web self-service tools, to allow users to update their own GAL/contact information (Exchange 2013)

Cross-posting here in AD and Exchange forums.

Thanks in advance.

Difficulties adding 2012 DC to existing 2003 Domain.

September 10, 2013, 11:13 am
$
0
0

Been trying to add a 2012 DC to a 2003 Domain and having multiple issues.

Background:  Lost one of three domain controllers (irrecoverable crash) few months ago.  Successfully siezed FSMO roles onto one of the remaining servers and have been operating in that manner since.  Just setup 2012 HyperV server and created VM to become the first of two new (VM) DCs.

For the last week, have been stuck at Deployment Configuration screen of the ADDS Wizard.  Generally get error that cannot access list of domains in the forest.  On occassion, get past this only to be stuck again at Additional Options.

Have put far too much time into this.  Need to resolve and move on so can replace the DCs and consider raising upgrade functional level to 2012.

PDC emulator loosing master browser elections, time syncing.

September 10, 2013, 7:38 am
$
0
0
If a PDC emulator DC lost the browser elections could this have an effect on workstations having a hard time finding DCs in my domain? Getting a few work stations with "

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)"

Active Directory Password Policy

September 10, 2013, 11:13 am
$
0
0

Using Windows 2008 SP2 for Active Directory

Our government client has told us we need to enable a password policy for our user IDs. There are two rules that I am not sure AD can handle. The rules are:

1. The new password must differ from the previous password by at least four characters.

2. The password can not contain personal information such as names, telephone numbers, account names, or birthdates.

Does active directory support these rules? If so, I would I implement them? If AD does not support these rules, is there some type of plugin that would help us to enforce the rules?

Thanks in advance for your help. I look forward to your answers.

Export All Groups with Members

September 10, 2013, 1:11 pm
$
0
0

Hi,

I need to export All User Groups with their relative Users separeted in groups.

Someone know a script or Powershell in Active Directory to export this list in any format?


Thanks.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>