Odd connection issue with Active Direcrory from Server 2008

September 20, 2013, 11:15 am

≫ Next: Restoring DC systemstate in test environment

≪ Previous: Need to create a trust but same NetBIOS names

I have a custom membership provider that uses active directory. When the application is installed on a windows server 2008 SP1 machine the users request to login to AD fails exactly 3 times and is allowed access on the fourth try. Once this happens it does not happen again until some period of inactivity. It does not happen from WIN7 machines. It should be noted that this logic makes up to 4 calls to active directory during the authentication process where the first is a call to validate that the user exists. This call never fails it is later when the provider attempts to validate the password does the Active directory server return an unknown user or bad password exception. It should be noted that automating this process and ensureing that the data is the same every time the same thing happens. It is always 3 failures and the fourth is accepted.

The AD server is running 2003 Server

Any ideas would be appreciated

↧

Restoring DC systemstate in test environment

September 20, 2013, 10:58 am

≫ Next: Is it possible to turn this Domain Controller into a PDC?

≪ Previous: Odd connection issue with Active Direcrory from Server 2008

I have production dc system state and trying to restore in a test DC Virtual machine. I have been able to restore it successfully but Sysvol folder does not look shared and moreover i am unable to open dsa.msc in the new DC VM.

MCSE Certified

↧

Is it possible to turn this Domain Controller into a PDC?

September 20, 2013, 1:23 pm

≫ Next: Error HRESULT E_FAIL has been returned from a call to a COM component

≪ Previous: Restoring DC systemstate in test environment

BACKGROUND:

1) Some time ago, a colleague did a clean install of Windows Server 2008 R2, promoted it to Domain Controller from an old Windows Server 2003, and life seemed to be good. In the meantime, a bunch of software was installed the on server.

2) He asked me to take a look because of a seeming annoyance: the Active Directory for Users and Computers (dsa.msc) fails with this error:

ERROR: Naming information cannot be located because: 
The specified domain either does not exist or could not be contacted.

3) Looking further:

- There is no SYSVOL and no NETLOGON - dcdiag passes most tests, but flags this error:

...
Running enterprise tests on : rgbprojects.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.

4) Most things seem to work. Active Directory exists, users can log in, the databases and 3rd-party enterprise software installed on the server all work.

But we seem to have a domain without a PDC.

It is not practical to reinstall from scratch.

Q: Is there any chance I can somehow create a Global Catalog, SYSVOL and NETLOGON and turn our Domain Controller into a viable PDC?

↧

Error HRESULT E_FAIL has been returned from a call to a COM component

September 20, 2013, 2:55 pm

≫ Next: Few DC status is showing Unavailable in Change Directory Server mmc

≪ Previous: Is it possible to turn this Domain Controller into a PDC?

Hi,

I just want to get the count of all members in the directory in my organization. I'm doing the following:

DirectoryEntry dir = new DirectoryEntry("LDAP://CN=users,DC=<company-name>,DC=com");

DirectorySearcher search = new DirectorySearcher(dir);

SearchResultCollection mySearchResultColl = search.FindAll();

count = mySearchResultColl.Count;
MessageBox.Show(count.ToString() + " entries in directory.", "Search");

When I run it, the message box displays the error - Error HRESULT E_FAIL has been returned from a call to a COM component.

Please let me know why it is showing this error and how I can fix it.

Thanks a lot.

Gunjan B. Sharma

↧

Few DC status is showing Unavailable in Change Directory Server mmc

September 20, 2013, 11:44 am

≫ Next: Migration from 2000 domain to 2008 R2 domain

≪ Previous: Error HRESULT E_FAIL has been returned from a call to a COM component

Hi Experts,

In our environment while changing the DC from ADUC, few DC's status is showing as unavailable.. sometimes it will change to Online then again it will change to Unavailable.

Few blogs says this error might be due to IPV6 disabled on DC's.. But in our environment we have enable IPV6 in all DC's.

Regards, Nidhin.CK

↧

Migration from 2000 domain to 2008 R2 domain

September 20, 2013, 6:28 pm

≫ Next: Creating Security Groups withthe help of Script

≪ Previous: Few DC status is showing Unavailable in Change Directory Server mmc

Hello,

I have an existing windows server 2000 active directory (domain controller) with a PDC and a BDC and few server 2003, I want to replace both PDC and BDC 2000 to windows 2008 r2 domain controller active directory keeping the same name and ip address because I have many other applications and reports running and looking the name and ip address of existing domain controller.

How can I do this? Thank you for your help

↧

Creating Security Groups withthe help of Script

September 19, 2013, 11:08 pm

≫ Next: Two DHCP Server in Two Diffrent Site Separated by Routers need Failover Setup if One Server goes down Other will Provide the Ip's Vice Versa

≪ Previous: Migration from 2000 domain to 2008 R2 domain

Is it possible to create security Grops with the help of script , In our environment we have to create lagre number of security groups on daily basis where we are following naming conventions ex : xxx-12C-MSFT-VS2008BI-127666-1.0 ,sometimes we have to create almost 20 to 30 security groups whare we are also giving describtion and adding those security groups that to master security groups. any help will be appreciatable.

↧

Two DHCP Server in Two Diffrent Site Separated by Routers need Failover Setup if One Server goes down Other will Provide the Ip's Vice Versa

September 20, 2013, 10:19 pm

≫ Next: I am not able to create or login the domain users on adc when my pdc fails.

≪ Previous: Creating Security Groups withthe help of Script

I am New to Server 2008,Have Environment

Site 1:

a. Server 2008 ADDS and DNS

Subnet :192.168.0.1.....192.168.0.254

b. Planing for DHCP

Site 2:

a.Planing for Server 2008 ADDS,DNS,DHCP Setup

Subnet :192.168.1.1.....192.168.1.254

Problem : How do i Setup the DHCP Servers as backup of Each Other in two different Location having different Subnet Separated by Routers Each Side

↧

I am not able to create or login the domain users on adc when my pdc fails.

September 20, 2013, 8:09 pm

≫ Next: Domain got corrupted after one DC removal

≪ Previous: Two DHCP Server in Two Diffrent Site Separated by Routers need Failover Setup if One Server goes down Other will Provide the Ip's Vice Versa

Dear Team,

I am having parent domain controller in data center name AUCBDC & also having Additional domain Controller in the same location name AUCBADC. whenever i shutdown my pdc for maintanance my domain users not able to login into domain and i am also not able to create domain account my domain web application also not running.my domain is no longer.

* i am also set global catlog in the Additional Domain Controller(AUCBADC)

*my parent domain controller(AUCBDC) & Additional Domain Controller(AUCBADC) also replicated.

Please provide the solution as the earlieast.

Thanks,

Pkshirsagar

↧

Domain got corrupted after one DC removal

September 5, 2013, 7:05 am

≫ Next: AD on SBS2003 issue, horrible issue please help. do not want to restore.

≪ Previous: I am not able to create or login the domain users on adc when my pdc fails.

Cut long story short: I couldn´t unpromote and remove one of my DCs (DC0), and I did a force remove with GUI. All DCs are Server 2012 based. Other DC, DC6 holds all fsmo roles. After force removal of DC0, almost all services of AD is not working. Open almost any mmc console will give "Naming information cannot be located because the specified domain either does not exist or could not be contacted". This is also seeing on the DC6 which holds all FSMO roles. In DNS I see PDC pointed to DC6, but still DC6 wines in dcdiag (I´m only pasting failures on DC6)

Doing primary tests

   Testing server: Default-First-Site-Name\DC6
      Starting test: Advertising
         Fatal Error:DsGetDcName (DC6) call failed, error 1355
         The Locator could not find the server.
         ......................... DC6 failed test Advertising
      Starting test: FrsEvent
         ......................... DC6 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared. Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC6 failed test DFSREvent

      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DC6\netlogon)
         [DC6] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DC6 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC6 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DC6] A recent replication attempt failed:
            From DC0 to DC6
            Naming Context: DC=DomainDnsZones,DC=labs,DC=dom
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2013-09-05 15:59:02.
            The last success occurred at 2013-09-05 11:00:40.
            6 failures have occurred since the last success.
         [DC0] DsBindWithSpnEx() failed with error 5,
         Access is denied..
         [Replications Check,DC6] A recent replication attempt failed:
            From DC0 to DC6
            Naming Context: DC=ForestDnsZones,DC=labs,DC=dom
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2013-09-05 15:59:02.
            The last success occurred at 2013-09-05 10:57:39.
            6 failures have occurred since the last success.
         [Replications Check,DC6] A recent replication attempt failed:
            From DC0 to DC6
            Naming Context: CN=Schema,CN=Configuration,DC=labs,DC=dom
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2013-09-05 15:59:02.
            The last success occurred at 2013-09-05 10:58:09.
            6 failures have occurred since the last success.
         [Replications Check,DC6] A recent replication attempt failed:
            From DC0 to DC6
            Naming Context: CN=Configuration,DC=labs,DC=dom
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2013-09-05 15:59:02.
            The last success occurred at 2013-09-05 11:00:47.
            6 failures have occurred since the last success.
         [Replications Check,DC6] A recent replication attempt failed:
            From DC0 to DC6
            Naming Context: DC=labs,DC=dom
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2013-09-05 15:59:02.
            The last success occurred at 2013-09-05 11:08:56.
            6 failures have occurred since the last success.
         ......................... DC6 failed test Replications

      Starting test: SystemLog
         An error event occurred. EventID: 0xC00038D6
            Time Generated: 09/05/2013   16:20:17
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred. EventID: 0x000007D1
            Time Generated: 09/05/2013   16:24:06
            Event String:
            Microsoft Antimalware has encountered an error trying to update sign
atures.
         A warning event occurred. EventID: 0x00001796
            Time Generated: 09/05/2013   16:32:59
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is pr
esently being used between clients and this server. This event occurs once per b
oot of the server on the first time a client uses NTLM with this server.
         An error event occurred. EventID: 0x00000457
            Time Generated: 09/05/2013   16:33:30

            The attempt by user LABS\admin to restart/shutdown computer DC6 fail
ed
         ......................... DC6 failed test SystemLog

   Running enterprise tests on : labs.dom
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... labs.dom failed test LocatorCheck
      Starting test: Intersite
         ......................... labs.dom passed test Intersite

I remember I had a case many years ago with W2003 DCs, that DC was unseccussfully removed, and Domain services stoped working, so I had to remove some CN names of old DC with ndisutil.

↧

AD on SBS2003 issue, horrible issue please help. do not want to restore.

September 20, 2013, 11:31 am

≫ Next: 2008AD domain controller not working correctly

≪ Previous: Domain got corrupted after one DC removal

Have an sbs2003 server only dc in the org. has all the latest updates. ipconfig is fine so i didnt copy it in below.

when i do a dcdiag it fails on fsmo check says it cant find a GC or PDC, when i do netdom query fsmo it returns 1 of 2 things.

5 roles on the sbs is normally what it shows, have seen it show the domain specified doesnt exist. main issues onsite are cant add pcs to the domain, cant access shares or printers. have also checked dns logs thoroughly and can ping fqdn of sbs.

Ive pasted in a dcdiag and a netdiag below. only have the weekend to fix this any help would be greatly appreciated.

struggling to paste the logs due to pasting the name of the company, will try add later or on request. in the logs it fails fsmo i pasted that below but noticing now it also fails on netlogon and sysvol shares as ive noticed they also arent there anymore although the folders are on the drive.

Running enterprise tests on :
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
PDC Name:
Locator Flags: 0xe00003fd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... failed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS

↧

2008AD domain controller not working correctly

September 21, 2013, 7:30 am

≫ Next: windows 2012 r2 adprep /forestprep fails

≪ Previous: AD on SBS2003 issue, horrible issue please help. do not want to restore.

Hi.

I have two 2008AD domain controllers the primary failed last week and transferred the FSMO roles to the secondary.

While the primary was still powered up, all credentials and file access was not working properly.

When I ran NETDOM query /domain:xxxx fsmo and found that all roles were held by the backup DC I shut down the primary

After shutdown most network resources credentials and accessibility returned to normal.

What steps should I take at this point to repair the failed DC..

I am considering Demotion, Metadata Cleanup, apply all Windows Updates for 2k8, promotion , and transferring the roles back to the primary..?

does anyone have an alternative way to discover and repair whatever problems exist?

When I look at the masterRoles using the Active directory MMC snapin it shows error in the PDC identification box that's all I know

jim

↧

windows 2012 r2 adprep /forestprep fails

September 22, 2013, 12:28 am

≫ Next: Dsquery user

≪ Previous: 2008AD domain controller not working correctly

I cant seem to get Windows 2012 R2 adprep /forestprep to run on my Windows 2012 DC.

Adprep detected that the supplied or default user is not a member of the following group: Enterprise Admins group and Schema Admins group.
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Verify the user is a member of Enterprise Admins group and Schema Admins group.

I am running as Administrator and Administrator is a member of the Enterprise Admins group and Schema Admins group.

Any idea what is going wrong?

↧

Dsquery user

September 22, 2013, 4:37 am

≫ Next: Additional domain controller

≪ Previous: windows 2012 r2 adprep /forestprep fails

Is there a way i can expand dsquery users dc=contoso,dc=com, to include user's first name, last name, description etc

↧

Additional domain controller

September 22, 2013, 8:19 am

≫ Next: Is that possible that DC stop authenticating the user at ADC when connection between ADC and DC terminated.???

≪ Previous: Dsquery user

Hi,

We have Active Directory Domain Controller installed on Windows Server 2008R2 in our office with domain name jbboda.local, where hostname JBBDC-1 IP 172.16.0.2 is primary domain controller and hostname JBBDC-2 IP 172.16.0.27 is the backup domain controller. Few days ago our primary DC i.e. JBBDC-1 went down due to hardware failure. To restore the Domain Services we had Seizing FSMO Roles and tried to do Metadata cleanup through command prompt but we did not found broken JBBDC-1 in the list. To clear the metadata we had deleted JBBDC-1 from Active Directory Users and Computer > Domain Controllers list, Active Directory Sites and Services and DNS entry related to JBBDC-1 with the help of GUI.

To test the Seizing FSMO Roles is completed successfully we had used nltest /dclist:jbboda.local and netdom query fsmo

Output: nltest /dclist:jbboda.local
Get list of DCs in domain 'jbboda.local' from '\\JBBDC-2.jbboda.local'.
JBBDC-2.jbboda.local [PDC] [DS] Site: Site1
The command completed successfully

Output: netdom query fsmo
Schema master JBBDC-2.jbboda.local
Domain naming master JBBDC-2.jbboda.local
PDC JBBDC-2.jbboda.local
RID pool manager JBBDC-2.jbboda.local
Infrastructure master JBBDC-2.jbboda.local
The command completed successfully.

Now we have replaced the hardware and installed Windows Server 2008 with the same Computer name JBBDC-1 and IP 172.16.0.27. While Creating the Additional domain controller we are getting the error The specified account already exist. screenshot details as attached

--
Ronak Sheth

↧

Is that possible that DC stop authenticating the user at ADC when connection between ADC and DC terminated.???

September 22, 2013, 7:27 am

≫ Next: Supernet multiple Class C reverse lookup zones

≪ Previous: Additional domain controller

kindly ans it with a reasonable example

↧

Supernet multiple Class C reverse lookup zones

September 23, 2013, 4:20 pm

≫ Next: Difference between lastlogon and lastlogontimestamp

≪ Previous: Is that possible that DC stop authenticating the user at ADC when connection between ADC and DC terminated.???

Hi There,

We currently have mutliple class C subnets all on 192.168.x (approximately 50). Currently we have Reverse lookup zones for a number of these but not all. Rather than create 50 reverse lookup zones for each subnet, would it make sense to create one supernet reverse lookup zone i.e. 168.192.in-addr.arpa?

We do not need them to be seperate from an administrative point of view, all settings across the reverse lookup zones are identical.

Appreciate any advice someone can offer on this, is this a feasable solution or a bad idea from a best practices perspective?

Cheers,

Ben

Ben Taylor MCITP

↧

Difference between lastlogon and lastlogontimestamp

February 17, 2010, 6:24 am

≫ Next: インフラストラクチャマスタDC降格について

≪ Previous: Supernet multiple Class C reverse lookup zones

Just wondering what is the Difference between lastlogon and lastlogontimestamp?

Thanks Biswajit MCTS ,MCP 2K3, MCSA 2K3, MCSA:M 2K3, CCNA

↧

インフラストラクチャマスタDC降格について

September 23, 2013, 10:42 pm

≫ Next: RDP using an account without admin rights

≪ Previous: Difference between lastlogon and lastlogontimestamp

http://social.technet.microsoft.com/Forums/en-US/4fc167a9-45ef-4755-9dcf-802b7fc91892/fsmo-
とまったく同じ症状になり、困っております。
DC1（FSMO）, DC2 のうち DC2が不調になり、DC2をオフラインにしてから、DC1にてntdsutil にて m
etadata をクリーンアップし、DNSからDC2にかかわるすべてのレコードを削除、
サイトとサービスから削除した後で、DC2の機体にOSを新規インストールしメンバーに追加、
（DC3という名前で）その後DCに昇格しました。FSMO を DC3 に安全転送し運用しておりました。

その後DC1 の入れ替えに伴い、DC3にFSMOを安全転送し、
DC1の降格を実行しようとしたところ、上記の方と同じ症状になり、存在しないDC2が
インフラストラクチャマスタになっているようなエラーが表示され、降格が行えません。

イベントID ：2091　／　ソース：ActiveDirectory_DomainService
　　次の FSMO 役割の所有権は、削除されたまたは存在しないサーバーに
　　設定されています。
----以下同文-----

ADSIEditor で確認したところ
CN=Infrastructure,DC=ForestDNSZones,DC=domainmei,DC=local
は存在せず、
CN=Infrastructure,DC=domainmei,DC=local　のみが存在します。
クラスがinfrastructureUpdate になっており、アイコンがコンテナのアイコンではなく、メモ帳のようなアイコンになっています。

オブジェクトが存在していないのだろうかと思い、コマンドで
ldifde -f c:\Infra_DomainDNSZones.ldf -d "CN=Infrastructure,DC=ForestDNSZones,DC=domainmei,DC=local" -l fSMORoleOwner

を実行すると、内容が書き出され、存在しないDC2の記述があり、イベントログの内容とつじつまがあいます。
dn: CN=Infrastructure,DC=ForestDnsZones,DC=domainmei,DC=local
changetype: add
fSMORoleOwner:
CN=NTDS Settings\0ADEL:ffa8422e-8da0-4480-a37c-3c02467a2285,CN=DC2\0ADEL:01b3
fad9-f37a-411a-917f-09828dbf1a36,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=domainmei,DC=local

したがって、内部的にはオブジェクトが存在しているように思えますが、ADSIEditor には表示されません。
この状態でfixfsmo.vbs　を実行してよいものか迷っています。
また、CN=Infrastructure,DC=domainmei,DC=local　のアイコンが通常のものではないのも気になります。

対処方法としては、上記vbsの実行、あるいは、DC1 の強制降格等になってしまうのでしょうか？

↧

RDP using an account without admin rights

September 13, 2013, 10:38 am

≫ Next: "The network name cannot be found." error message in dcdiag and accessing the DC's SYSVOL folder, remotely...

≪ Previous: インフラストラクチャマスタDC降格について

hello,

for testing purposes I need to logon to a computer from a server as a staff user to test that softwares etc i install from the server are working as the staff user and not just as the admin. i know it is possible because a couple of years ago i saw a tech support do it while rdp'ing onto our server. It was a while ago but im almost certain he was looking at the eventviewer and connected to another computer to view their event log and then logged onto it as a staff user.

any help or a point in the right direction would be a great help.

↧