Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DsRemoveDsServerW error 0x5(Access is denied.) when removing failed 2003 DC using NTDSUtil

February 9, 2011, 7:05 am
$
0
0

Hi,

I have a failed 2003 SP2 DC (hardware failure) and I've already seized the FSMO roles onto another DC.  Currently, we have two functioning DC's.  The ones still functioning are 2003 SP2 and a 2008 RTM SP2 in a Windows 2003 domain functional level.

I've read through this link and I'm having the same issue, but I'd rather use the metadata cleanup if I can to make sure it's properly removed.  I am going to reuse the same hostname and IP if possible.

Remove the orphaned DC failed-
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/5dcf30ce-e5d5-4f9b-81e4-d0a49651da06

I've checked to make sure the failed DC's object option for "Protect this object from accidental delettion" is unchecked.  I've even toggled this to see if that was the problem.  I'm also using a user account which is a member of the domain admins, enterprise admins, and schema admins group.  Just to be sure, I've created a new account and added it to those 3 groups, but still no luck and receive the same error.

I've only ran the ntdsutil on the 2008 DC, but will try running it on the 2003.  I doubt this would matter, though?

Any ideas?

metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=CLAY-DC2,OU=Domain Controllers,DC=CLAY,DC=CN
TY".
Deleting subtree under "CN=CLAY-DC2,OU=Domain Controllers,DC=CLAY,DC=CNTY".
The attempt to remove the FRS settings on CN=CLAY-DC2,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=CLAY,DC=CNTY failed because "Element no
t found.";
metadata cleanup is continuing.
DsRemoveDsServerW error 0x5(Access is denied.)
Rory Schmitz
Search

Add RODC W2k12

November 22, 2012, 9:55 am
$
0
0

Hi I have a forest and domain in W2k8R2 native, flew days ago I was extended the schema and prepared the domain to install W2k12 domain controllers

The first dc that I installed was a RODC over 2012, the process completed Ok but when I check the dashboard I received the next error "Error determining whether the target server is already a domain controller: the domain controller promotion completed. but the server is not advertising as a domain controller."

I check dns resolution front this server and is OK, we don't have error on the event viewer but this warning is showing.

Somebody know what can be doing?

Regards

Hosting ADFS and AD LDS on the same servers

November 12, 2012, 7:51 am
$
0
0

We're not looking for these two components to inter-operate with each other or leverage each other as some other threads suggest.  We'd simply like to host these components on the same two server NLB cluster.  Is this possible or should we get separate servers for each component?  Thinking the servers would be under-utilized running just one tool.

Thanks!

Kerberos KCC_ERR_S_PRINCIPAL_UNKNOWN

November 22, 2012, 9:53 pm
$
0
0

I have 2 Domain Controllers (DC and ADC) in Windows Server 2003

While i have added these SPN in the ADC, Reset the SPN by using setspn command for ADC machine, Checked duplicate entries by using ldap tool, set the delegation from ADC properties in dsa.msc domain controllers but the issue is not resloved

 

In ADC Kerberos event 3 error with KCC_ERR_S_PRINCIPAL_UNKNOWN  with below description comes when i login to the ADC otherwise it doesnt come.

A Kerberos Error Message was received:

         on logon session

 Client Time:

Server Time: 4:45:55.0000 11/22/2012 Z                 (Its showing the different time also than its showing in ADC)

Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN

Extended Error:

Client Realm:

Client Name:

Server Realm: abc.com

Server Name: hostname.abc.com

Target Name: hostname.abc.com@abc.com

 Error Text:

 File: 9

 Line: ae0

 Error Data is in record data

 

One error KCC_ERR_S_PRINCIPAL_UNKNOWN come regulary every one min if take the remote of ADC and not logoff and lock it otherwise it doesnt come

 

A Kerberos Error Message was received:

         on logon session

 Client Time:

 Server Time: 4:52:57.0000 11/22/2012 Z      (Its showing the different time also than its showing in ADC)

 Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN

 Extended Error:

 Client Realm:

 Client Name:

 Server Realm: abc.com

 Server Name: cifs/X.X.X.X (IP Address of ADC)

 Target Name: cifs/X.X.X.X (IP Address of ADC)@ABC.COM

 Error Text:

 File: 9

 Line: ae0

 Error Data is in record data.

 

Please help on this issue.

Thanks in advance

LSA and GroupPolicy Error-Events on 2012 DC after dcpromo

November 22, 2012, 12:39 am
$
0
0

Hi All

I have started to migrate my domain controllers from 2003-R2 to 2012.
My first 2012 DC now has some error's in eventlog. I am unsecure if this is a problem or not.


First i got Event-ID 40961 vom LSA:

Log Name: System
Source: LsaSrv
Level: Warning
Event Source: LSASRV
Event ID: 40961
User:  SYSTEM
Computer: DC12.domain.com
Description: The Security System could not establish a secured connection with the serverldap/dc12.domain.com/domain.com@domain.com.  No authentication protocol was available.


Immediately after this Event i got a Event-ID 1006 from GroupPolicy:

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1006
Level: Error
User: SYSTEM
Computer: ComputerName
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).
Details: SupportInfo1: 1, SupportInfo2: 5464, ErrorCode: 49


The GroupPolicy Event then repeats every ~5min. The LSA Event every ~1h.


At this time i have a co-existance of two 2003-R2 DC's and one 2012 DC.

 

Any Ideas or Solutions?


Thanks

Gargamelius

Redesigning my AD - ou structure advice

November 22, 2012, 3:46 am
$
0
0

Hi all,

I am in the process of re designing our AD. The original AD person before me used the default containers (computer and users) to store 90% of our objects, which obviously is a nightmare to manage.

So we really need to move them into a proper ou structure.

This is what I have come up with so far for the OU structure.

- Domain

- Organisation

- Country

- Departments

- User and Computers

- staff, managers etc... (under both users and computers)

Does this sound ok or maybe too much? I think with this design it will make managing the AD fairly simple. What do you think?

Thanks

Mac

User's failed to login after setting "user must change password at next logon"

November 14, 2012, 7:30 am
$
0
0

Hi:

  In our Active Directory environment, any new AD user  who  has  "user must change password at next logon" , cannot login to the domain, the strange thing is when the AD user attempted to login , the  KDC return  KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN to our application, while we are pretty sure that the AD user exist in the server .

In the AD environment, there are 2 DCs in the domain, the issue only exist when our application attempted to login to a particular DC.The issue does not exist on another DC. And, we are pretty sure that it is not due to replication issue.

Just wondering why KDC would returnKRB5KDC_ERR_C_PRINCIPAL_UNKNOWN error code, after we check "user must change password at next logon" ?  Is it due to configuration issue ?  

   Note: The "password to remembered" GP was set to 0 on the domain. 

This is what we did :

1. Join machine to AD domain

  2. On DC, create new AD user using ADUC. 
  3. login as the new ad user on the client machine 
     login OK. 
  4. At the ADUC,  check "User Must change password at next logon" of the newly 
     created AD user.  
  5. Login again using same ad user on the client machine. 
     Login failed immediately , from network trace, KDC (same DC as where we just
     created the AD user in ) returned "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" error to
     our AS_REQ  request.  
Following network trace show that we are able to modify this user in the DC, to proof that the user actually exist.  
Then later, attempt the login as the same user, KDC said user is unknown.
why KDC would return principal unknown after forcing user to change password at next login ? 
Any help is appreciated.
Thank you!
Yen

Yen

Event iD 1864: repadmin /showrepl is OK but unable to replicate directory partitions

June 16, 2009, 5:12 pm
$
0
0
hi all, I have two Domain Controllers (w2008 core, running W2008 functional level) in a child domain called test.domain.com and the parent domain is domain.com.  About 3 weeks ago, I begin receiving the following error (see below for full error message) on Directory partitions: CN=Configuration,DC=domain,DC=com;, CN=Schema,CN=Configuration,DC=domain,DC=com,DC=ForestDnsZones,DC=domain,DC=com,DC=domain,DC=com

When I run repadmin /showrepl on both domain controllers in test.domain.com, it checks back clean.  I'm at a lost on why its not able to replicate even though repadmin /showrepl is good...any ideas where I can look to resolve this issue?


Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          6/16/2009 3:00:17 PM
Event ID:      1864
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC1
Description:
This is the replication status for the following directory partition on this directory server.
 
Directory partition:
CN=Configuration,DC=domain,DC=com
 
This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
 
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".
Search

can't open namespace

November 23, 2012, 12:08 am
$
0
0

hi

when i create new namespace in DFS management and give it special permission like as picture 

when i open in explorer and pop up for credential i type the special that i create in the above picture ,give me follow error.

YaHyA.ZaHeDi

Time Sync -Best Pratice and related questions

November 11, 2012, 2:31 am
$
0
0

Hello All -I want to Enable NTP service on my Domain so as all my VMs,Client Computers, NAS boxes,Storage devices sync with one single source .

I have been through articles which describes how to create an authorative time server in windows 2008 r2 environment however there are couple of questions unanswered ;looking for help on the same .

Is there a tool to help Draw current architecture of Time Sync

Do i need to factor a DR when i am creating a new NTP server .

What is the Hardware requirement and if i chose same config as PDC will that be ok ?

Puzzled a the moment ,need help !!!

Anand



Restrict administrative accounts

November 22, 2012, 4:59 am
$
0
0

Hi,

I'm looking for a way to restrict certain domain accounts (Domain Admins, Enterprise Admins, etc.) .

Is it possible in a Windows Active Directory environment
to allow certain AD user account to logon to AD only, if they are
coming (source IP) from a particular IP address/machine name. Or to
put it differently, I want Kerberos to issue tickets (TGTs, STs) for certain
accounts only, if the client issuing the authentication request is in
a particular IP/IP-band/machine name.

Maybe any third-party products that allow such settings?

Regards,

Michael

Domain members diappear

November 15, 2012, 12:19 pm
$
0
0

We have some crazy stuff going on. We can add members to Domain Admins and they stay some time, but after a while they are removed. I can add a group into domain admins and after a while they go away too. Now the users that are currently in the DA group remain without issue, but if you attempt to add someone they are removed. I have checked the restricted groups GPO and the domain admins are listed as a group, members say the same DA, and Member of is administrators. I have checked the permissions on AdminSDHolder CN on AD, and permissions match up to what MS says they should.

Can I get some other ideas on what to check?

Thank you,

Mike

DNS Appending Space to DC Names

November 22, 2012, 1:07 am
$
0
0

The client I am currently working at has asked me to take a look at one of theirmany Active Directory forests. They are saying their Admins are reporting the fact that they cannot do any amendments to groups etc. in AD. Initital analysis showed that replication was working OK however, when I took a close look at the underlying DNS I notived that the DNS appears to be adding a space to end of the NS (the NS are the domain controllers).

If I run a netdiag /test:dns the following error is displayed:

DNS test . . . . . . . . . . . . . : Failed
    [FATAL] The DNS host name 'SERVERNAME.DOMAIN.DOMAIN.DC.DC ' is not valid. [DNS_ERROR_INVALID_NAME_CHAR]
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'SERVERNAME.DOMAIN.DOMAIN.DC.DC .'. [RCODE_SERVER_FAILURE]
            'SERVERNAME.DOMAIN.DOMAIN.DC.DC .' may not be registered in DNS.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server 'IP.IP.IP.IP'. Please wait for 30 minutes for DNS server replication.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server 'IP.IP.IP.IP'. Please wait for 30 minutes for DNS server replication.
    [FATAL] No DNS servers have the DNS records for this DC registered.

NOTE: I've changed the client server/domain/ip addresses to remove any reference that can identify the client.

Those with an eagle eye will note the " " at the end of the dns record, hence the DNS_ERROR_INVALID_NAME_CHAR message. This is the same on both the domain controllers in the domain. Has anyone come across this before? If so did they manage to fix this without doing a complete forest rebuild?

I've gone through every config file, setting etc. looking to see where this rogue " " is coming from but cannot find it. The DNS would appear to be FUBAR'd and my gut feeling is due to the fact the client does not have a backup of the AD from before this error that this is "un-fixable" and the client is in a very uncomfortable place.

Before I go back and write up my report suggesting a complete rebuild from scratch (as no restore option is available) I thought I'd throw this out to my peers. Has anyone come across this before, do they have any tips/procedures for re-creating the DNS in the whole forest (Windows 2003 R2), any other suggestions that I can try etc.

I've done the dcdiag /fix, netdiag /fix, etc. etc. but the error (space appended to end of NS record is still present). 

DSADD, setting securities on pre-staged accounts

November 23, 2012, 4:07 am
$
0
0

I need to pre-stage 100's of computer accounts into a specified OU, which I can do via batch file, lines of which may be;

dsadd computer "cn=client01,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

dsadd computer "cn=client02,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

dsadd computer "cn=client03,OU=In Build,OU=IT,dc=mydomain,dc=co,dc=uk"

 

etc

 

If I did this one by one via the gui I can specify "user or group who can join this computer to the domain". Is there such a parameter within DSADD?

thanks

Domain Admins have no admin access on XP workstation

March 9, 2012, 9:52 am
$
0
0

Hi all,

I am having the strangest problem. I've been slowly rolling out an AD (2008 level) domain over our entire organization.  I'm nearing the end, and was adding one of the last computers to the domain.

Bind seemed to work okay, domain users can log in, but Domain Admins clearly don't have admin privleges. I've logged in as the local administrator, and admin privleges work fine, I can see that Domain Admins is a member of the local admins group. I tried removing domain admins from the local admins group and adding it back, and tried running gpupdate /force. The computer shows up in Users and Computers on the PDC.

I can't understand why domain users would be able to log in but not be allowed admin privs when added to the correct group. Does anyone have any suggestions?

Thanks!

Search

RODC Servers DNS service stops and DHCP gets unauthorized

November 23, 2012, 2:34 am
$
0
0

I am facing a problem on the RODC servers located on remote locations from the main office which affects both DNS and DHCP. When this services are down the critical business serices goes down including even file services. The background of this problem is brought about by WAN network connection outage.  We have come across different logs which have been discussed onn various forums here: 4000. 4015, 4013...and many more on DNS and also error log on DHCP: The DHCP service failed to see a directory server for authorization. What I am looking for is not how to restore DNS service back or authorize DHCP because for sure when the WAN network is back, when I point to main DC and reboot, then force replication all this services are restored back.

What I need is for example for DHCP found that we can disable rogue detection:

To disable rogue detection

  • Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
  • In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
  • Right-click DisableRogueDetection and then click Modify…
  • In Value Data type 1 and then click OK.

and the DHCP service will not stop working.I have not found a solution for DNS though some post have pointed to setting the registry valueRepl Perform Initial Synchronizations to 0 in order to bypass initial synchronization requirements in Active Directory as per http://support.microsoft.com/kb/2001093.

IS there any solution or configuration with evidence which will amke sure that this services can remain working when connection is down, please all your support will be helpful. I know there are good minds and quick here....

Importing Bulk Contacts using LDIFDE

August 6, 2010, 7:34 am
$
0
0

Hi,

I have 1000 mail enabled contacts to import into Exchange server 2010. I know a single ldifde command we can complete it. I want to know with what kinds of attributes can i prepare in a excel file to import into Exchange server 2010. Is there any template file available for this.? Can any someone help on this?

I know importing contacts using csvde command and the details file import.. but i cannot update any attributs incase of future update. but using ldifde command it is possible. Kindly help.

Many thanks in advance.

Chandru CT.

AD Server decommissioning

November 21, 2012, 12:58 am
$
0
0

We have a site with some servers and users.

I need to decommission the only AD server on this site (others AD servers exist elsewhere along with FSMO roles).

Should I stop this server being a global catalog server first then dcpromo or just go for the straight DC promo?

Need to ensure that the other servers and clients continue to function fine as this site is almost in use 24 hours.

I would like to test the removal of this server first by downing the server for 12 - 24 hours, how would this affect users and servers onsite and can this be done safely in the day?

Looking forward to your comments :)

DNS Zone Transfer Settings -- Keeps reverting back

December 3, 2009, 6:00 am
$
0
0
If I go to my Windows 2008 PDC > Server Manager > Roles > DNS Server > DNS > Servername > Forward lookup zones > domain.com and right click then go to properties and Zone Transfers the previous admin had it configured to do transfers to a particular **ehhem** workstation.  As a DA I have attempted to change the setting to do zone transfers to "Only to servers listed on the Name Servers tab" however it keeps reverting back to the workstation.  Any ideas?

Windows 2008 Domain controllers

November 23, 2012, 8:44 am
$
0
0

I have a DC ( windows 2008 R2) IP address 192.168.1.240  

The main DNS/DHCP is given from the ISP router ( 192.168.1.1)

Now I have a branch office like to have a DC ( 192.168.2.240)  They also have a ISP Router ( 192.168.2.1) provides DNS/DHCP

The new Server for the branch ( 192.1682.240) could not be joined to the AD forest due to DNS issue during dcpromo

(An Active Directory Domain controller for the domain xyz.local could not be contacted )

Both the servers an ping and see the files each other etc..  What DNS issue is causing this problem ? 

Best regards

Abraham

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>