Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows 2008 ADC & DC LDAP issue

October 11, 2008, 10:36 pm
$
0
0
Dear All,

We are facing windows 2008 DC & ADC problem. Per week it's coming this error. When ever this error come, then we restart once the server. After that it's working some days.

Below the error:

The directory schema is not accessible because:
An invalid directory pathname was passed
For this reason, the New menu may be inaccurate, and extension snap-ins may not work properly

Data from active directory users and computers is not available from doamin controller because:
The server is not operational.

Regards,

Santh

Search

LDAP Policy

December 14, 2013, 1:10 pm
$
0
0

HI AD experts!

Does the DC logs an event where there LDAP policy is exceeded?

For example where there is more than "MaxConnections" connections and some connections are bieng dropped?

Find account being locked out

December 14, 2013, 11:48 am
$
0
0

How can I find where an account is being locked of from?

I know the account name but not sure from what service and server?

Thanks

Dave

Dave Kozlowski

Powershell to add SMTP ProxyAddress based on user UPN

December 11, 2013, 8:57 am
$
0
0

Hello,

I am looking for a AD PowerShell command to add Primary SMTP address to the user property based on user UPN.


User UPNProxyAddress
a.test@xyz.coma.test@xyz.com

Example i have the above user with the UPN whom i want to add SMTP proxy address, please suggest.

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

MAC PC Domain Joining

December 12, 2013, 10:56 pm
$
0
0

Hi,

We have got certain MAC OSx PC's which we have added to domain. There is no issue faced in joining but after that the users are facing certain issues which are highlighted below


User is able to login using AD ID. But, more often, user is getting disconnected while accessing the network particularly internet (either through Netscape or through Google Chrome). User is getting a pop up prompting credentials.

For this event we had contacted Proxy Server Team and found that the authenticity is not known. User is getting internet due to anonymous identity; hence the fluctuations happen

Please let me know if we need to do any activity from Active Directory end on the Computer account or user account. We are parallely checking with MAC support also. Is there a way to force MAC's to use Kerberos only

 

 

Resync time in Windows Server 2008 Domain Controller

December 12, 2013, 5:15 am
$
0
0

Hi to all,

i have a multi-site domain with many DC. On one Windows Server 2008 Domain Controller i have time out of about 1 minute and 10 second than the time on PDC.

Is it possible that this difference cause problems with GPO syncronization and during gpudate /force on the pc connected into the lan where this DC works ? Because we have this problem from a long time (months), are there risks if we try to resync the time of this DC with PDC now ? Or is it better to demote old domain controller and replace it ?

The error when i do gpupdate /force on one pc is:

Updating Policy...
User policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\XYZ.abc\SysVol\XYZ.abc\Policies\{A-B-C-D}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\XYZ.abc\SysVol\XYZ.abc\Policies\{A-B-C-D}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Thanks.

Performance Report domain controllers

December 14, 2013, 1:06 pm
$
0
0

Hi AD experts,

I'm lookink for a tool to generate performance report on some DC's.

a script to createt Data collector Set (on Perfmon) like http://archive.msdn.microsoft.com/ExPerfwiz

and the tool to parse the report like PAL : pal.codeplex.com

Is there any similar tool for DCs?

Thanks

Auditing of Administrator account use

December 11, 2013, 4:14 am
$
0
0

Hi,

is event 4624 on all Domain Controllers (where targetusername is administrator) enought for knowledge of using domain Admin account in organization?

or maybe toy have better way to check when , who and from are using domain Admin account?

thx in adv

Voytas

Search

Creating Three domains in one forest

December 16, 2013, 2:19 am
$
0
0

 I wanted to create three domains in one forest :

I have created the first one DC, DNS, gc

Do I have to put the other two domains also DNS and GC???


Conflict objects in CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com

April 25, 2013, 9:01 am
$
0
0

I have found some CNF objects in my OID list;  3 have matching original objects whilst 2 do not.

Whilst I am happy purging CNF copies of simple security principals, OIDs are uncharted waters for me.... Can I still delete all five ?

Should I have different approaches for the 3 that match and for the 2 that do not have original objects any more ?

uSNChanged is sometimes greater on the original, sometimes on the CNF copy - not sure if that is relevant.

Thanks in advance

Nick

Ignite a fire and a man is warm for a night: ignite a man, and he is warm for the rest of his life.

Win2008 R2 - "Write Member Of" missing in Advanced Security options for user object - Read is showing OK

March 9, 2012, 3:45 am
$
0
0

A few weeks ago I updated an AD to 2008 R2 from 2003 and prior to this I implemented a new OU and security model to restrict admin rights.

I added a group with read/write 'member of' against user objects and that still works OK.

I have now removed the final 2003 DC (still running 2003 Funcional Level).

When I now look at the OU using ADUC I do not see "write member of" in the properties list.

Anyone got any ideas?

Boz

Problem with Group Policy Replication

December 9, 2013, 2:23 am
$
0
0
Could somebody please help me identify an issue I suddenly started having with Replication between 2 of our DCs. I inherited this system which was working perfectly fine but the problem happened suddenly and I am not too sure where to start looking.



This is a school with 2 DCs, both are on Server 2008R2 SP1:

DC1 is also a DNS server

DC2 is also DNS, DHCP and Deployment Server


A couple of days ago I created a policy object and realized that group policies stopped working across the domain. The error message indicated that the gpt.ini file for the policy could not be found.

As soon as i remove the object everything goes back to normal.I tested out the SYSVOL shares on each of the servers by creating files manually and the shares are visible between both of them however if I create a new policy object the physical files for it are not created even locally on the DC that I am working on at the time.

So I run DCDIAG on both servers and found that DC1 has this error message:

 Starting test: Services       EventSystem Service is stopped on [WES-SVR01]       NtFrs Service is stopped on [WES-SVR01]
After looking inside Services I am unable to start the File Replication Service or the DFS Service because it gives out an 1068 error saying that 1 of its dependencies cannot be started.

What could be causing this? I ran SFC and it found no errors

Arthur

Problems after unsuccessful DC demotion

December 10, 2013, 10:46 am
$
0
0

I've been reading technet and KB articles for about a month. After some problems in my domain, I had to demote the new server I had been working to add to the domain. I wasn't able to do it with dcpromo, so i had to use adsiedit. I followed the knowledge base article for demoting an orphaned DC. I then reinstalled server 2008 on the new server. Unfortunately, there are still lingering issues. Currently there is only one DC on the network, gets call it PG. PG isn't looking for replication partners, so i figured everything was okay. It seems the other server was successfully removed. However when i tried to edit some group policies, i realized i was getting the "RPC server unavailable" error. The server failed to replicate with its partner for a while and I think that's what started all of this. I remember something about a journal wrap error (ive read so many articles, they're blurring together).

I followed the knowledge base article for that issue and ended up doing a non-authoritative restore. No luck, RPC server still unavailable. Then a few days later, AD failed all together. I restored with a system state backup I had made. I was in a rush to get the server going again, and i forgot to save a dcdiag log of the issue. I remember the group policy service throwing error 1058. After the restore, AD works again and users can access network shares, but I still have the "RPC server not available" issue. Should i have done the authoritative restore as well? 

I have an old system state backup I'm thinking of using, from before I added the new server to the domain. Would it be a good idea to restore with this? I might loose my user account.. Which isn't a huge deal, but I'd rather not. I'm not sure if anything else has changed since.. I can't afford to loose anything other than my account. I guess I could just go back to a current system state if something happened though.

Excuse the wall of text. Any help would be appreciated. I'll post my current dcdiag output in my next post.

The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

October 29, 2012, 10:06 am
$
0
0

We are in the process of removing a child domain from the forest and are down to two DCs. These are both Server 2008r2 sp1 servers, one physical and virtual (PDC). When I try to remove a DC (not the PDC emulator) I get the following error:

The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=mydomain,DC=local to
Active Directory Domain Controller \\V-Svr03.mydomain.local.

The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

I have checked replication with repadmin /showrepl and all connections were successful. The dcdiag /test:kccEvent test on all servers passed.

Most DCdiag tests are successful. The only failure is on NCSecDesc when running dcdiag /test:NCSecDesc

   Testing server: Default-First-Site\DC1-DEV-OFC
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=hookemup,DC=local
         ......................... DC1-DEV-OFC failed test NCSecDesc

In researching this I find "If you do not plan to add an RODC to the forest, you can disregard this error."

We have not successfully run ADprep /rodcPrep nor do we plan on having any Read-Only DCs, so I think we can ignor this error. We did try running ADprep /rodcPrep but got an LDAP error which I can duplicate if this is important.

Schema and Naming FSMOs are on a DC higher in the forest. RID, PDC, and Infrastructure FSMOs for the child domain are on the Virtual server (PDC).

Any guidance on where to go from here would be greatly appreciated as I have no more hair on my head to pull.

Sites and Services subnet(s) and DNS zone for single domain

December 12, 2013, 8:02 am
$
0
0

In my single domain/forest, there is only 1 site, the default-first-site-name but there are no Subnets defined.

In the reverse DNS, I have the 25 zone subnets.

My question is, do I have to create all 25 reverse zones from DNS into ADSS? I think that since I am using just a single domain that it isn't necessary. But for completeness sake, would it still be worth doing?

Search

ADSI strange entries

December 6, 2013, 2:06 am
$
0
0

Hi,

I recently added 2 new Windows server 2008 DC's to our network and decomissioned 2 old windows 2003 DC's. Haveing a few niggling issues. I looked in ADSI Edit and

Under System, Domain system volume i have an entry for one of the old servers as well as the 2 new DC's. Is it safe to remove the old server?

under system, RpcSerices there are entries for both old servers and neither of the new servers. AM i ok to remove the old servers. do i need ot add the new servers?

Intermittent errors when querying the AD

December 5, 2013, 7:11 am
$
0
0

HI,

We recently replaced 2 old windows 2003 dc'S with windows 2008r2 dc'S. All is working ok except on odd occasions when query the AD i get errors such as "Server not operational" or "Domain does not exist" Everything looks correct on DNS and there are no entries for the old servers so i am looking at alternatives. If i run wireshark i get entries such as

192.168.180.132     192.168.180.255     NBNS     92 Name query NB XXXXXXX

192.168.180.132 is the ip of a standard workstation

192.168.180.255 is an ip that has no harware associated with it

XXXXXX is the server name for one of the old servers i removed

not sure if this is realted or not, but i think both need to be resolved. 

New to all this, can anybody guide on where to start

Thansk

Gareth

Reissue CA Root Certificate

December 16, 2013, 11:17 am
$
0
0

Hello,

I have a Windows 2008 R2 enterprise CA root and it is currently using MD5 as the hash on the Root Certificate.  I have discovered that this causes a lot of problems with TLS 1.2.  I would like to replace this with a certificate that uses sha256 which is supposed to be compatible with TLS 1.2.

In Certificate Services I see the option for Renewing a Root Certificate but that does not allow me to modify the encryption method.

Can anyone direct me to how I can accomplish this?

Thank you,

Matt

additional domain drop down available in user creation

December 16, 2013, 8:58 am
$
0
0

We have a mixed Windows 2003 and Windows 2008 DCs (corp.intel).  We have several OUs that are able to select @company.com as domain dropdown when creating users' logon name. Just wonder how they made additional domain (in addition to corp.intel) available when creating users' logon name?

Thank you.   

Domain rename

December 16, 2013, 10:25 am
$
0
0

Hello - 

I've inherited a network in which the original admin decided to use a public domain name for the internal domain name, but not a public domain that the client owned.  We occasionally run into issues with DNS performance, not sure if that can be attributed to this or not, but I don't think it helps.  Along the way, to combat some of the DNS problems, various admins have added new forward lookup zones for what should otherwise be publicly accessible domains, completely unrelated to the pilfered domain name.  I see some occasional errors in the DNS log regarding duplicate zones (Microsoft has already loaded zone data blah blah blah) and I'm pretty sure these are related to the improperly named internal domain.

Now, to the meat of the matter: I'm in the process of adding a new DC, migrating some data, and physically moving a server to a branch office. It seems to me that since we've already got some other changes going on that are a little disruptive, now would be the time to correct this issue.  

Before I proceed, I have a few questions:

1. Should I even bother with renaming the domain?  

2. We have other domain member servers running ACT! and Microsoft Great Plains.  Does anyone know if these applications will support the domain rename operation or if there is a better route?

3. I'm working in an MSP role for a small/mid-size business.  I'm pretty strapped for resources, but would really love to be able to test this entire process before executing in a production environment.  Does anyone have any suggestions for building a 5 server test AD environment on a budget? I have 3 member servers (ACT!, GP, and File Server) and two DCs that both run DNS and one runs DHCP.

Thanks,


Nehemiah

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>