I am trying to setup a test ADFS server environment with the goal of using federated Office 365.
My test environment has 
two domain controllers at 2008R2 functional level, 1 server 2008R2 and the other 2012 with one local (non-
routable) internal domain name and one externally routable name for mail. I have added the externally routable 
name as an alternate UPN suffix.
two exchange servers, 1 2010 and the other 2013.
one 2012R2 ADFS server and one 2012R2 WAP proxy server.
The 2 AD FS servers seem to work alright. I can login (adfsmachinename/adfs/ls/idpinitiatedsignon) and also pull 
the https://mycomp/adfs/fs/federationserverservice.asmx from any of the machines in the domain. All servers are 
joined to the domain and in the same subnet.

The problem is setting up the Web application Proxies to establish the trust. when I use the Web Application Proxy 
Configuration Wizard I put in the wildcard cert that is from comodo for the routable domain name and is on both 
the ADFS and WAP servers. I use either a domain admin or local admin of the ADFS server but it always fails with 
the same message:

"Unable to retrieve proxy configuration data from the Federation Server."

On the AD FS WAP server the event logs event 422:
Trust Certificate Thumbprint: 
6185C255555555544555555555535D06 
Status Code: 
Unauthorized 
Exception details: 
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

note: the process creates a new cert ADFS ProxyTrust-localservername which has the thumbprint in the error listed.

at the same time the event log on the ADFS server it is trying to trust with comes up with event id 276:
The federation server proxy was not able to authenticate to the Federation Service. 

User Action 
Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host 
name that is identified in the certificate subject name and re-establish trust between the proxy and the 
Federation Service using the Install-WebApplicationProxy cmdlet. 
Additional Data 
Certificate details: 
Subject Name: 
<null> 
Thumbprint: 
<null> 
NotBefore Time: 
<null> 
NotAfter Time: 
<null>

No matter what I seem to try with local admin account it has the same error. verified the passwords, try domain 
admin, local admin, ADFS domain service admin etc.

I feel terrible.   I have looked everywhere.  2003 domain 2000 forest.  A pretty straight forward network.  bringing the fores to 2003 won't hurt anything right?  I mean, it's generally considered safe without any special prep or research right?

Is there a way to pull these three parts in PowerShell???

This has got to be a bug in the GUI.  I have two new forests that are in different subnets which I have created a selective auth, 2-way, external trust between, the trust passes validation without issue.

I am unable to search users in the other domain with the GUI, but they can be added fine in command-line.  (dsacls, and alsonet localgroup).  Using CLI in Domain-Z, I set 'allowed to authenticate' on a computer object, and also added the user from Domain-A to the Remote Desktop Users local group on a machine and was able to RDP to it and login as a user from Domain-A.

I can't search users in the other domain (from either side), and if I click Advanced and then Find Now in the Select box then I get this error:
'The following error prevented the display of any items: Unspecified error'

What I did to configure the trust..

1. Setup cond. forwarders on both ends and can resolve multiple records
2. Created trust.  Have tried creating both sides at once as well as each side separately.
3. Try to add users to computer objects, can't find anything except command-line.

Hardware Firewall ports allowed:  (Have also allowed all traffic and disabled Windows Firewall to troubleshoot and recreated trust with it disabled)
135-U
389-T/U
53-T/U
88-T/U
445-T
3268-T
464-T/U
5000-5001 for RPC/LSA/SAM/Netlogon (set to static in registry)

I am stumped here.  What should I look at besides rebuilding these machines from scratch?

A DNS entry was modified to point from an old server to a new server.

Example:

Old Server - ServerA.domain.com originally pointed to 10.10.10.10

New Server - ServerB.domain.com points to 10.10.10.12

Old Server (ServerA) is retired Original A Record now points to 10.10.10.12

I am now tasked with finding out which servers are still requesting the old ServerA.domain.com record so we can fix those requesting that name and eventually retire the name.

Any good way to find this information?

Bobby Pendino

Hello TechNet forums,

We have come across an issue we have not seen before.  On a network with a single 2003 Standard DC, we installed a 2008 standard server. Ran DCPromo, and made it a Global Catalog server.  Transfered the FSMO roles to the new server.  Shut down the 2003 DC, and none of the AD snap-in's work correctly.  Namely,  When we open AD Users and Computers, the snap in freezes, and never comes up.  When the 2003 computer is powered on, and running all works smoothly and correctly.  This is meant to be an upgrade, but with this behavior, we cannot decommission the 2003 DC.  

I am not sure what else to provide you in way of information,  and I know I probably did not provide enough.  Right now, we do not want to sieze the roles, as the 2003 DC is the only way we can continue normal business.  We have asked around our company, and none of our techs have seen this before.  If you have any suggestions as what to try we would appreciate it.  

Oh, one thing we did do already was to DCPromo the 2008 server back to a member server and DCPromo it back up.  This did not change the behavior. 

Thank you in advance for all your wise wisdom. 

Hello, we running MSSQL Server 2008 R2 on Windows Server 2008 R2.

For MSSQLSERVER service we use special domain account (specified during installation of SQL Server).

Now we have some trouble with setting up replication, generally we have error: "Could not obtain information about Windows NT group/user 'DOMAIN\user', error code 0x5", when try to start or delete replication instances or access other pages\features.

For example, when I go to 'Permissions' page in Server Properties, and open 'Effective' tab in SQL Server Management Studio, I can see properties only for some domain accounts (that have Logins in MSSQL), for others I have error "Could not obtain information about Windows NT group/user 'DOMAIN\user', error code 0x5".

I go to AD, try to view differents in those accounts, but at first glance it seems that they are identically.

Please help!

as is

I'm trying to administer users in an untrusted domain from my PC.

I use the below CMD line and I'm able to get ADUC running. Doing some tasks in ADUC, gives me the error "The specified domain either does not exist or could not be contacted."

C:\Windows\System32\runas.exe /netonly /user:UntrusedDomain\user"mmc dsa.msc /server=1.1.1.1"

hello experts 

Our company have domain controller. Domain controller runs Windows 2008 r2, windows 2003 R2 SP2
Today my technician reports me windows XP clients login is to slow about 30 min after bring back login window. Anyone have idea this promlem?
I see slowed computer event log this application error log showed me:

Application DeviceLock Service (2) from policy Device_lock_install_32bit was 
configured to upgrade application DeviceLock Service from policy Device_lock_install_32bit. 
The assignment or install of the upgrade application DeviceLock Service (2) from policy 
Device_lock_install_32bit failed with error : The installation source for this product is not available. 
Verify that the source exists and that you can access it. The upgrade will be aborted. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I think problem cause is our domain controllers OS version windows 2003 and windows2008. This is right?

Please suggest me and Please help me fixing domain clients are slowing login window?

Thanks

Hi Guys,

I have noticed a SYSVOL replication problem after creating a new GPO in AGPM, it appeared on PDC and on one more DCs, but not on other 23 DCs.

The SYSVOL folder is not replicating to all DCs, although it replicates normally between two DCs. (PDC and one more DC)

We use DFSR to replicate SYSVOL, when I ran a DFS Propagation report on "Domain System Volume" (SYSVOL Share), all servers that do not have SYSVOL replicated show as "Arrival Pending". A Couple of DCs show “Waiting for initial replication” and do not have the SYSVOL at all.

I tried issuing:  wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="20199155-E7B6-11E1-83E7-706E6F6E6963" call ResumeReplication 
On one of the DCs, this did not help

Any advice?>

Thanks,

сила в справедливости

Hi, im getting a lot of best practise analyser errors and warnings etc.

I had an old lab DC that I demoted and joined to a new 2012 DC as a secondary DC.

I have numerous errors and dns just doesn't seems right I deleted reference to my old records in dns and thought id cleaned things up but not sure I have.

also on the secondary DC there is no netlogon or sysvol so I don't have replication between dcs

d

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = MYDC

   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

  
   Testing server: Default-First-Site-Name\MYDC

      Starting test: Connectivity

         ......................... MYDC  passed test Connectivity

Doing primary tests

  
   Testing server: Default-First-Site-Name\MYDC

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\SVR2012PDC.AlexCorpDom.Internal, when we were trying to reach

         MYDC.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... MYDC failed test Advertising

      Starting test: FrsEvent

         ......................... MYDC passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... MYDC failed test DFSREvent

      Starting test: SysVolCheck

         ......................... MYDC passed test SysVolCheck

      Starting test: KccEvent

         ......................... MYDC passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... MYDC passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... MYDC passed test MachineAccount

      Starting test: NCSecDesc

         ......................... MYDC passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\MYDC\netlogon)

         MYDC An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... MYDC failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... MYDC passed test ObjectsReplicated

      Starting test: Replications

         ......................... MYDC passed test Replications

      Starting test: RidManager

         ......................... MYDC passed test RidManager

      Starting test: Services

         ......................... MYDC passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x0000008E

            Time Generated: 02/14/2014   11:23:21

            Event String:

            The time service has stopped advertising as a time source because the local clock is not synchronized.

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 02/14/2014   11:35:11

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'oldDC.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 02/14/2014   11:35:11

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.OLDDC.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 02/14/2014   11:35:11

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.OLDDC.local' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

         A warning event occurred.  EventID: 0x0000008E

            Time Generated: 02/14/2014   12:06:49

            Event String:

            The time service has stopped advertising as a time source because the local clock is not synchronized.

         A warning event occurred.  EventID: 0x00000032

            Time Generated: 02/14/2014   12:06:49

            Event String:

            The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.

         A warning event occurred.  EventID: 0x0000008E

            Time Generated: 02/14/2014   12:09:01

            Event String:

            The time service has stopped advertising as a time source because the local clock is not synchronized.

         ......................... MYDC passed test SystemLog

      Starting test: VerifyReferences

         ......................... MYDC  passed test VerifyReferences

  
  
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

  
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

  
   Running partition tests on : AlexCorpDom

      Starting test: CheckSDRefDom

         ......................... AlexCorpDom passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... AlexCorpDom passed test CrossRefValidation

  
   Running enterprise tests on : AlexCorpDom.Internal

      Starting test: LocatorCheck

         ......................... AlexCorpDom.Internal passed test

         LocatorCheck

      Starting test: Intersite

         ......................... AlexCorpDom.Internal passed test Intersite

cdiag output below (this output is fro the second dc).  any help appreciated

I had a single domain controller. It has crashed. I had to create a new domain controller with all the same existing information from the old server..same domain name, server name, and IP. Im having issues with desktops. Everything is setup on the server. The desktops however I need to rejoin them to the domain and get them to start synching properly. But when I do this, the profile is resetting itself to a new profile. How can I keep the same profile with the same documents. Or am I out of luck on this and have to recreate the profiles. I have had to recreate the profiles so far, but do not want to do this for about 5 computers because there is way to much software and work that will need to be involved in moving these profiles. Any shortcut for these computers to automatically see this domain server and synch to it? Everything is identical to the old server. The old server is inaccessible.

The new servers domain name is the same, IP address is the same, and computer name is the same. AD running with all identical information. DNS installed.

Let me know if anyone has some advice on here.

Hi,

I have 2 domain controllers which share operations. The secondary DC handles authentication however I can't authenticate against it unless the PDC is online, or has been online while the secondary DC is

I've transferred all the FSMOs to the secondary DC to make it operations master, which hasn't made a difference.

How do I authenticate against this second DC without the PDC being online?

Thanks

Hi All,

Is it possible to have the IdP return an error via a webpage to the end user in the event they cannot authenticate or have incorrect group memberships for accessing a service provider?

Case A

User is not allowed access to the resource so is given an error saying you cannot use the following service.

Case B

User is in group A which has limited access to the resource but not group B which has enhanced access, can it say you are a member of group A as a message.

The question comes because of setting this system up for global enterprises and it helps ticket logging for the global helpdesk for the different services (access issue rather than service issue).

Cheers,

-M

Hi

I have AD 2012 R2 with DFL and FFL 2012 R2 in my Forest.

Now When I am renaming any group in dsa.msc, its restarting the DC with below message:

Your PC will automatically restart in one minute

Windows ran into a problem and needs to restart. You should close this message now and save your work.

Please help us to resolve this issue..

I need to migrate my FSMO 2003 Server role over to 2008 R2.

Server 2003 Name = ma-file 10.1.1.2 -  "DC" and "FSMO"

Server 2008 Name  = ma-file1 10.1.1.3 - "DC"

I have many applications using the DNS name "ma-file". Mainly our EMR application for storage, ftp, ect... I rather not make any changes to the EMR.

Question1:

Can I simply move FSMO roles from ma-file to ma-file1. Then rename ma-file to something else. Then rename ma-file1 to ma-file. Last step swap IP's. Will this cause any issues? Most importantly will this work?

Question2: Anything need to be done on Exchange 2010 once I move FSMO roles and rename ma-file1 to ma-file?

Thanks for advice!

Dave Santel

I have a brand new 2012 cluster with 2 hyper-v host nodes running Server 2012 (not R2). I have successfully spun up several virtual machines from templates via VMM 2012R2. 

I added the AD DS role today to my DC01 server running server 2012 (not R2). Then I promoted it to a domain controller. When it came back up I got the login screen as normal and logged in. Upon login I only see a black screen. I can click ctr-alt-del and get the typical menu, but only logout responds. Everything else such as Task Manager just goes back to the black screen. Connecting via remote eventvwr and checking logs and events shows the DC Promo was successful; I can verify replication to other DC's etc. I don't see any problems with this server other than I can't see it after login. RDPing in provides the black screen as well. I am able to log in via safe mode and can see the desktop, but am not sure how to troubleshoot from there. I verified that integration services were latest and greatest before I promo'd.

I de-promo'd it via server manager on another server 2012 server, then removed the roles and deleted it. I just created a new server and did the same process, only used a remote server manager for DCpromo this time. After reboot I have the identical issue with a black screen.

Can anyone help?

Peter