We have one user in an environment of 5000+ who gets access denied when he tries to change his network password on Windows XP or Windows 7. User cannot change password is not checked on his AD account andit matches other users who can change their password just fine.
Any guidance is appreciated.
I have set up an on-prim ADFS and an off-prim ADFS.
I want to use DNS Failover to monitor them and switch off-prim as required.
I've tried both Amazon Route 53 and DNS Made Easy monitoring, and both appear to use the HEAD command rather than the GET command. How can I monitor these services? ADFS 2012r2 does not seem to support the HEAD command.
curl -iX GET h t t p s ://fs.redclay.com/adfs/ls/idpinitiatedsignon.htm returns 200 whereas
curl -iX HEAD ... or curl -I ... return 500 or just hangs forever.
Only by the process of elimination have I come to the conclusion that the HEAD command is being used. I don't know how to sniffer SSL, but both DNSMadeEasy and AmazonAWS say the services are down when I know they are up.
Hi All,
Here is some quick info before I ask the question.
We are upgrading AD from 2008 R2 to 2012 R2.
We have a parent domain, and a child domain.
ALL DNS is hosted by the parent domain.
While attempting to remove one of the 2008 R2 child domain controllers I was prompted with "This domain controller holds the last replica of the following application directory partition: DC=DomainDnsZones,DC=Childdomain,DC=ParentDomain,DC=com
Question: If there is no DNS on that domain, is this safe to remove?
Notes:
This server I am demoting has no FSMO roles for the child domain.
This Child DC in particular server in particular has DNS installed on it, but has no zones. Wondering if it was installed on accident.
Thanks!
Hi,
Currently we don't have an active directory domain and looking in to configuring a test setup for it.
We have 6 countries and in some countries we have 2 to 3 sites. There is a constant VPN connection between all the locations.
Our users are travelling between the sites. IT is managed from a central location and have one IT responsible on each site which also have to create / modify users.
Should we go for one domain with a domain controller in each site? Or should we go for a parent DC at central location with child DC (sub domains) at the other sites?
What are the pro's and cons of each scenario?
Kr,
Joeri
here is a section of my netlogon.log i have been reading about how netlogon builds its dns request from the information it collects. but not sure where this information is stored i have setup wireshark as well i can see that the dns request sent is invalid as well _ldap._tcp.dc1.mydomain.com should be _ldap._tcp.mydomain.com which is in my dns?
is this normal?
I have checked my dns and confirmed this is not a dns issue
it is what the client is requesting that seems to be wrong
03/25 19:51:09 [MISC] DsrEnumerateDomainTrusts: returns: 0
03/25 19:51:09 [MISC] DsGetDcName function called: Dom:Mydomain Acct:(null) Flags: DS RET_DNS
03/25 19:51:09 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
03/25 19:51:09 [MISC] NetpDcGetName: mydomain.com. using cached information
03/25 19:51:09 [MISC] DsGetDcName function returns 0: Dom:Mydomain Acct:(null) Flags: DS RET_DNS
03/25 19:51:09 [MISC] DsGetDcName function called: Dom:mydomain.com Acct:(null) Flags: DS BACKGROUND RET_DNS
03/25 19:51:09 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
03/25 19:51:09 [MISC] NetpDcGetName: mydomain.com using cached information
03/25 19:51:09 [MISC] DsGetDcName function returns 0: Dom:mydomain.com Acct:(null) Flags: DS BACKGROUND RET_DNS
03/25 19:51:10 [MISC] DsGetDcName function called: Dom:DC1.mydomain.com Acct:(null) Flags: LDAPONLY RET_DNS
03/25 19:51:10 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
03/25 19:51:10 [CRITICAL] NetpDcGetNameIp: DC1.mydomain.com: No data returned from DnsQuery.
03/25 19:51:10 [MISC] NetpDcGetName: NetpDcGetNameIp returned 1355
03/25 19:51:10 [CRITICAL] NetpDcGetName: DC1.mydomain.com: IP and Netbios are both done.
03/25 19:51:10 [MISC] DsGetDcName function returns 1355: Dom:DC1.mydomain.com Acct:(null) Flags: LDAPONLY RET_DNS
03/25 19:51:10 [MISC] DsGetDcName function called: Dom:DC1.mydomain.com Acct:(null) Flags: LDAPONLY RET_DNS
03/25 19:51:10 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
03/25 19:51:10 [MISC] NetpDcGetName: DC1.mydomain.com similar query failed recently 16
Hello Everyone,
we are running a 2003 native mode domain with a mixture of 2003 / 2008 R2 / 2012 R2 domain controllers and a mixture of XP / win7 / win8.1 clients.
As far as I understand our kerberos ticket granting tickets are always RC4-HMAC because of the domain level. We would like our win7 clients to receive AES-128 or AES-256 TGTs for security reasons but it will take some time until all of our 2003 domain controllers are decomissioned.
Is there a way to enable higher level TGTs on a 2003 DC so that our win7 clients can negotiate and receive AES TGTs?
Thanks for your help!
HarryH
Hi All,
Our new office will setup a new branch office with a routed network link to our HO. In HO, we have 2 domain controllers configured as AD and DNS just for fail over scenarios.
How will we configure the DNS server of our 3rd domain controller which we will placed in the new branch office. What would be the proper settings of DNS server integrated to AD to work well especially to have a successful replication and communication to the 2 DC's located in HO?
Thanks to all in advance. we have two ADC servers on one of our sites with single forest and single domain on all sites. My client wants me to Install one RODC server at the same site but in perimeter network instead of corporate network.Please suggest me feedback on below concerns;
1. Client do not want to open firewall ports from RODC in perimeter to ADC in corporate network although they are agreed to open ports from ADC to RODC. Can this scenario be possible.
2. This RODC server is used by some VC application for authentication of users.Can RODC authenticate Users without contacting ADC ( although one sided replication is allowed from ADC to RODC)
Please suggest on above issues. My ADC servers are Windows Server 2008 R2 SP1 and RODC is also the same.
Hello
I am an administrator of a single forest with many child domains (35 to be exact)
We had a child domain w2k3 R2 (geri.sem.com)
it crashed 7 years ago, and the guy before me removed it using ntdsutil.
Now, I am trying to upgrade Forest Function level and the old child domain is giving me a hard time removing it.
Using the ntdsutil, in metadata I cannot remove the domain, (no site available) with the error:
DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.).
So, I tried to remove the DomainDNSZones, in Partition management: DC=DomainDnsZones,DC=geri\0ADEL:bb7cc7ce-96f6-4a98-888c-ed139937e2ed,DC=sem,DC=com
But when I try to delete it using "delete nc" I get:
ldap_delete_ext_sW error 0x20(32 (No Such Object).
In ADSIEDIT and LDP.exe I cannot find anywhere the DNS zone. I can see the DC=geri\0ADEL:bb7cc7ce-96f6-4a98-888c-ed139937e2ed,DC=sem,DC=com, under partitions but I cannot delete it with the same error.
I followed this steps:
Click Start, click Run, type adsiedit.msc, and then click OK
•Expand the Domain NC container.
•Expand DC=<var>Your Domain</var>, DC=COM
•Expand CN=System.
•Right-click the Trust Domain object, and then click Delete
But under CN=System, the child domain in NOT there.
I also followed this step:
I opened the Configuration Naming Context
(CN=Configuration,DC=domain-name,DC=com)
and expand CN=Partitions. You'll see the crossRef objects in there and delete it.
I can see the partition CN=GERI and i tried to delete it and got this error:
ADSIEDIT
Operation failed: Error 0x2015
The directory service can perform the requested operation only on a leaf object.
00002015: UpdErr: DSID-03100CB8, problem 6003
(CANT_ON_LEAF_), data 0
Please Help
Our company wants us to change the users display name from "SN, GivenName" to "GivenName SN (Company)"
I've had a play around with ADSI edit and ad modify etc and while changing the name order is straightforward, I cannot get the "company" to show in the DisplayName. Does anyone know if this is actually possible? And if so how?
Thanks in advance
Hello,
I am having some error while joining a client in my domain, I have DC-DR environment, in my data center (DC) I have DNS integrated AD (IP 172.16.10.72), now in Disaster Recovery site (DR) I have created ADC for domain service (IP: 10.249.229.150, Primary DNS: 172.16.10.72), now while joining my clients at DR to domain I am using DNS IP 10.249.229.150 but its not joining. showing DNS error. Kindly support.
Swaprakash..
Hi, I hope this is the correct forum for this problem,
I am seeing a few of these errors (error details below) sporadically throughout the system event log on a windows 2008 R2 server. I have seen a number of threads about SChannel errors
http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/b2e0e110-f9ca-4113-8f4d-f20d6b39b8c7http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/675864e2-2856-44fa-b3bc-ef275d391d45However I can find no clear way of trying to find what exactly causing the error. It would appear that the Schannel is logging errors but that this errors are being caused by other processes. Now I know that this is obviously SSL/TLS related. So my question/s are this.
What exactly is Schannel and what does it do?
How do you identify the actual problem.?
I list the error details below, the pid refereced in the error is the lssas.exe which I believe deals with authentication. Is there anyway to trace what is actually causing the issue?
For reference the PID 604 noted below is lsasss.exe
The General error is
The following fatal alert was generated: 10. The internal error state is 1203.
The Details are
- System
- Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2010-06-18T04:51:41.830028400Z
EventRecordID 10087
Correlation
- Execution
[ ProcessID] 604
[ ThreadID] 3828
Channel System
Computer<ComputernameRemoved>
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 10
ErrorState 1203
In process of switching dc from 2003std to 2008 x64 std sp2. downloaded 32 bit version of adprep.exe and ran adprep /forestprep with no errors. when running adprep /domainprep I get error messages.
Hi, trying to get adprep /domainprep to complete. adprep /forestprep ran fine. I received the following errors as pulled from adprep.log. Schema shows being at 44 (2008) Used ASDI to look at permissions. I believe permissions are where they are supposed to be, but not sure. Any help would be greatly appreciated.
Output from adprep.log
Adprep checked to verify whether operation cn=0b7fb422-3609-4587-8c2e-94b10f67d1bf,cn=Operations,cn=DomainUpdates,cn=System,DC=fia,DC=local has completed.[Status/Consequence]The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=71482d49-8870-4cb3-a438-b6fc9ec35d70,cn=Operations,cn=DomainUpdates,cn=System,DC=fia,DC=local.
LDAP API ldap_search_s() finished, return code is 0x20
Adprep verified the state of operation cn=71482d49-8870-4cb3-a438-b6fc9ec35d70,cn=Operations,cn=DomainUpdates,cn=System,DC=fia,DC=local. [Status/Consequence]The operation has not run or is not currently running. It will be run next.
Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is CN=Password Settings Container, CN=System,DC=fia,DC=local.
LDAP API ldap_add_s() finished, return code is 0x13
Adprep was unable to create the object CN=Password Settings Container, CN=System,DC=fia,DC=local in Active Directory Domain Services.[Status/Consequence]This Adprep operation failed.[User Action] Check the log file ADPrep.log in the (null) directory for more information. Restart Adprep.
Adprep encountered an LDAP error. Error code: 0x13. Server extended error code: 0x51b, Server error message: 0000051B: AtrErr: DSID-03150B5E, #1:
0: 0000051B: DSID-03150B5E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
.
Adprep was unable to update domain information. [Status/Consequence]Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.[User Action] Check the log file, ADPrep.log, in the C:\WINDOWS\debug\adprep\logs\20101221105735 directory for more information.
Changing to "Password must meet complexity requirements" when does the end user need to change the password? Is that when the user next logs in or is it when the existing password expires?
We are about to change this and I have done it before a few years back but I don't remember if it was the next login or when the password expired.
I have seen previous forum questions which state that the 'DNS Island' issue was resolved in Windows Server 2003 and is no longer a concern.
Can anyone within Microsoft comment on exactly what was changed so that this is no longer an issue? I'm just wanting to understand things more in-depth.
Thanks!
Robert (Formerly a-roberwil, rowilli, a-rowil)
Robert
Hello Team,
Could you please explain what is DNS island?
AliahMurfy
We are implementing our first AD FS environment and are running into a couple of snags. The main issue I am having is that when connecting tohttps://sso.domain.com/adfs/ls/idpinitiatedsignon, I am being asked to enter my credentials before authentication to the relying trust provider. I have entered https://sso.domain.com/adfs/ls/idpinitiatedsignoninto our trusted sites and I am still being prompted for credentials. Any guidance would be greatly appreciated.
Thank you in advance,
--Scott
Hi
any posts can be found about inactive users and how to find them using PS or Dsquery or ...
but as i found all these work using last logon date of user
but here is my problem
we have several accounts which may never log in to domain. some service users, some system users, some accounting users and many mobile users which are our agents in whole country. the have mobile devices and connect to our internal network using different ways but will be authenticated against their AD user there. so they use their account everyday but never log in to domain. and what i see is that they are reported as inactive ... ! which is not true
how can i handle this. maybe we should search for a parameter last authentication time or somewhat like that >..
I have 4 sites and 6 DCs, 2 out of 4 are 2008 R2, the rest are 2003. I'm in the process of upgrading DCs in a domain from 2003 to 2008 R2. I ran into a problem when one of the 2008 R2 DCs had a hard shutdown due to a power outage and would not come back up again.
I manually removed the DC using ntdsutil metadata cleanup, removing the DC in Sites & Services then removing the entries in DNS. After I added a new 2008 R2 DC, the SYSVOL and NETLOGON shares do not appear, and the DC cannot connect to it's own Active Directory instead it seems to connect to a random DC from another site. There is one other 2008 R2 DC in another site which appears to be working fine. I tried to run dcpromo to demote the problem DC, but it failed when trying to transfer remaining data in directory partition. I suspect I will run into the same problem if I try to add another 2008 R2 DC. I'm thinking DNS may be screwed up, any ideas?
Hi,
I'm trying to figure out how to set it up so our IT team scan access the services of a remote computer via RSAT. I know that they can do this if they are Domain Admins, but I'd prefer to do it via delegation if possible. I've looked through the Delegation Control Wizard, but wasn't able to find anything that looked like it might give them these rights. Does anyone know what rights I need to give them?