I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child domain or if that should just magically happen because of the Parent Child trust relationship.

Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.

I am getting an error when running adprep /forest prep on a Server 2012 domain controller. The main parts of my domain are as follows:

2 - Domain Controllers running Server 2012

1 - Exchange Server 2013 running on Server 2012

I am trying to either do an in-place upgrade to my domain controllers to Server 2012 R2 or even introduce a Server 2012 R2 domain controller into the domain. The error I am getting is as follows:

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_search_s() finished, return code is 0x20
[2014/04/05:09:12:38.873]
Adprep verified the state of operation cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_modify_s() finished, return code is 0x13
[2014/04/05:09:12:38.905]
Adprep was unable to modify some attributes on object CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.
[2014/04/05:09:12:38.936]
Adprep encountered an LDAP error.

Error code: 0x13. Server extended error code: 0x20b1, Server error message: 000020B1: AtrErr: DSID-030F112A, #1:
 0: 000020B1: DSID-030F112A, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9086f (msDS-ClaimIsValueSpaceRestricted)

DSID Info:
DSID: 0x181112dd
ldap error = 0x13
NT BUILD: 9600
NT BUILD: 16384

[2014/04/05:09:12:38.967]
Adprep was unable to update forest information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

[User Action]

Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.

Any Help would be appreciated. Thanks!

Hello,

        I'm facing some problem with Group policy, when I execute GPupdate from DC's its working fine but from CLients and servers only User policy is working and computer Policy is failing with Error

"Updating policy... 

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).

Look in the details tab for error code and description."

Error: Error Event ID: 1006,Event Code: 49 and Error description : Invalid credential

AD environment:

02 DC’s are there (PDC and ADC)

Domain and Forest function level are 2003

The ADC is holding all the FSMO roles

Don’t have any DHCP servers 

Using only static IP as DNS pointed to PDC and ADC

NOTE: HOST FILE IS UNABLE TO MODIFY

Kindly someone help me to fix this issue

Hi,

I'm trying to figure out how to set it up so our IT team scan access the services of a remote computer via RSAT.  I know that they can do this if they are Domain Admins, but I'd prefer to do it via delegation if possible. I've looked through the Delegation Control Wizard, but wasn't able to find anything that looked like it might give them these rights. Does anyone know what rights I need to give them?

I have inherited a mess. I have 2 DC's that will not replicate. Apparently there was a DC failure in the past and a new SBS server was spun up in its place and the FSMO roles were seized. 

I have DC2 which is the Role holder and SBS (2003) server it holds all roles except  the schema master which is on a 2008 server.

When I try to replicate I get:

The following error occured during the attempt to synchronize naming context (domain) from doamin controller DC2 to DC4:

The naming context is in the process of being removed or is not replicated from the specified server.

The operation will not continue.

I've tried the reset of the netdom password with no luck....

Any insight would be appreciated. 

Dear NC,
i have one RODC in a Branch Office Site.
I have selected several Usergroups to be replicated to the RODC with nearly 800 Users.
But when i have a look into the RODC i can see that only 400 Users are replicated to the RODC.

I do not understand why this happens.
Can anybody offer some useful hints please?

-Bernd

Lately we have been having an issue in our Active Directory environment where a subset of users will all be locked out. This happens at random, unpredictable times. Sometimes weeks or months apart, sometimes twice in a few days. After talking to Microsoft Support and using various tools and investigating Event IDs, we are getting no leads of what may be causing it. All events have no source IP address, but the source computer name is seemingly random and does not exist in our Active Directory, nor does it resolve via DNS. It is usually the same users, but every once in a while there will be some additional users affected. We have also triaed using NetWrix Account Lockout Examiner with no luck.

Our Microsoft tech told us that we could set up an NMcap session to trigger when accounts start to get locked out, to see where the NTLM traffic is coming from.

Here is what he told us:

"You could also leverage NMCap by tying it to an event trigger.  For example, a 4625 or 4740 event on the local resource server could be set to trigger a batch file that kicks off the capture for a specific period of time:

NMCap /network * /capture /file test.cap /stopwhen /timeafter 20min "

It would be ideal, in theory, to set up some sort of logic, for example:

• if three accounts are locked out within 20 seconds,
• then start the capture, 
• and append the file name with the date / time.

I am unsure of how to go about this. I have looked at the task scheduler, but there doesn't seem to be much logic available. We can get it to trigger on a specific event ID, but it's not ideal for the capture to start every time a user is locked out, as that is a part of day-to-day business. I also don't see a way for this NTLM command to append the file name, it seems like it would use the same filename and possible overwrite itself.

Any help is much appreciated.  Thanks everyone!

Hi

i am using batch file to map network drive on server 2008 R2 but it is not running

when test syntax on desktop, same syntax is running.

net use n: \\192.168.1.5\test

any help will appreciate.

Arvind

Hi,

We have applied Software restriction policies on a Test LAB to restrict the unwanted applications from running. We have made exception path, hash rules for genuine applications and software.

We have observed that if the exception list grows large then we cannot open or change GPO's and clients also cannot apply policy. Once we restore it back from Backup it works fine again.

I wanted to know is there any limitation to the exception list after which we should consider creating additional policy.

Thanks

I have migrated AD and DC/FSMO from my Windows Server 2003 to 2012 Datacenter. I have encountered a few errors along the way but was able to overcome them (by turning on Remote Registry Service) and verify at the end of the migration that my FSMO roles have successfully transferred to new Win Server 2012 AD by running netdom query FSMO. The command returned a success response. I have used the following instructions to migrate DC and FSMO:

http://blogs.technet.com/b/canitpro/archive/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-2003-network.aspx

This one to transfer all the FSMO roles and retaering the old 2003 box

https://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx

Once verified that migration of FSMO roles and Global catalog succeeded I moved on to migrating 2003 Exchange to 2010. After about 2 weeks, AFTER REBOOT, my 12 exchange services do not start and the Exchange Server is displaying Kerberos authentication errorcode 0x80090311. Also it doesn't see the Active Directory Server.

I went on the 2012 Active Directory Server (which is a separate server from Exchange) and noticed that FSMO roles and global catalog have disappeared. No connection to global catalog yet I can still log into the domain. What did just happen?

Netdom query FSMO returns: The specified domain either does not exist or could not be contacted. The command failed to complete successfully.

Here are additional errors listed below:

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

---
Active Directory Domain Services was unable to establish a connection with the global catalog.
 
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
32013c0
 
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

---
This is the replication status for the following directory partition on this directory server.
 
Directory partition:
CN=Configuration,DC=BlaDomain,DC=Blalubber,DC=com
 
This directory server has not received replication information from a number of directory servers within the configured latency interval.
 
Latency Interval (Hours):
24
Number of directory servers in all sites:
1
Number of directory servers in this site:
1
 
The latency interval can be modified with the following registry key.
 
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
 
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

---
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
 
Attempts:
66
Directory service:
CN=NTDS Settings,CN=VIPMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=BlaDomain,DC=Blalubber,DC=com
Period of time (minutes):
1582
 
The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed.
 
Additional Data
Error value:
1908 Could not find the domain controller for this domain.

---
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
 
 Directory instance: NTDS
 Directory instance LDAP port: 389
 Directory instance SSL port: 636

---

Everything was working just a few weeks ago. What happened? I am confused. Any help is appreciated. Thanks in advance.

Hi

I have 2 DCs which are windows 2008 R2 and Domain and forest functional level 2008 r2.

Now I can see below event ids in NTFRS and DFSR events..

I did not find any correct way to resolve this issue and due.

Also DCDIAG result is working fine.. there is no error showing in DCDIAG.


Errors:


==============

Ntfrs: Event ID 13575
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets

======
Event 4004 DFSR error

The DFS Replication service stopped replication on the replicated folder at local path C:\Windows\SYSVOL\domain. 

Additional Information: 
Error: 9226 (Multiple volumes share the same volume serial number which prevents DFSR from finding the right volume) 
Additional context of the error:   
Replicated Folder Name: SYSVOL Share 
Replicated Folder ID: 9C10EBE1-6C1B-475E-B2B8-99D73507B2B1 
Replication Group Name: Domain System Volume 
Replication Group ID: 18774AC2-65DC-4D3F-8D2A-130219DCDC63 
Member ID: 91FA4059-9E14-48F8-8291-1A4293876767

-------------------------------------------------------------------------
Event 5014 DFSR Warning

The DFS Replication service is stopping communication with partner DC20001 for replication group Domain System Volume due to an error. The service will retry the connection periodically. 

Additional Information: 
Error: 9036 (Paused for backup or restore) 
Connection ID: 5B1BC649-69BC-4248-A582-9909C491CED2 
Replication Group ID: 18774AC2-65DC-4D3F-8D2A-130219DCDC63

Please advice and show me correct path to resolve this issue..

Dear MS experts

I'm having problem with file server which is integrated with RODC 2K8 R2. It often hang up when accessing to shared folders on server, twice per day. At the problem time, i did checked server performance like CPU/RAM/HDD and network. They were all fine. 

FYI, HW Specs: IBM x3650 M4, RAM 16GB, HDD 10TB, OS 2K8 R2

I'm highly appreciate if someone can advise me to fix it this issue. Thanks a lot 

I trying to extract login logoff history by using powershell. I tried different script and still cannot get the collect information

I create 10 aduser in domain controller. They can login into the client computer. So i want to get their login logout history from the log event

This code only export the login and logout history about admin account in domain cpntroller.

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[3]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog Security -Source Microsoft-Windows-Winlogon `| Select $UserProperty,$TypeProperty,$TimeProeprty | Export-Csv output.csv

However, i can see the login logout record in the Event viewer.but i cannot extract it...

If it still cannot extract. I need to setup a logon/logoff script for all aduser. When they logon/logoff on the client computer. The username and datetime will be recorded into the txt and stored in the domain controller (C:/record.txt).

Hello,

We are getting the error "The security database on the server does not have a computer account for this workstation trust relationship" on our main domain controller.  We have a primary domain controller and also a second domain controller on one domain.  We are unable to logon to the PDC when this is happening and have to do a hard reboot to get it back up.  At the same time our VPN does not roll over to the BDC so we are unable to logon at the time of the error.

We are receiving 5722, 5805 in reference to the BDC on the PDC and we are getting 5783 (in reference to the PDC) and 5719 on the BDC.  We are also getting 7 on the PDC as well mentioning the security account manager failed a KDC request. 

I've been jumping all over the net to find a solution, but it seems they are all in regards to workstations or other servers with the trust relationship error and nothing in regards to this error on a PDC. 

Any help will be greatly appreciated!

I need some guidance in finding a tombstone in a forest that has 90 domain controllers and 79 sites. Each domain controller is receiving three daily EventID 1864 alerts. One for the domain partition, one for the configuration partition and one for the schema partition. I have checked the replication between all domain controllers using repldiag /CheckForStableReplTopology and it returned No topology errors found.

I created a PS script to go out to the forest and search all DC's for EventID 2042 and it returned nothing. Due to the size of the infrastructure and the fact that they set their tombstone lifetime to 400 days, running any type of query where I can pull GUID's and check DNS, returns literally thousands of entries in the output. I currently have a support case with Microsoft that has been open for nearly two weeks now but we have not found a resolution that wouldn't take countless man hours. I came into this situation recently and was told that this tombstone has been out there for around 4 years. The reason this has come up again is because the client is looking to raise the functional level of their forest from 2003 to 2008. I am doing this for a client, so everything is done remotely, and sometimes very slowly due to the fact that these domain controllers are located all over the world, and sometimes in places that have very bad connectivity.

A few quick questions:

1. Will they/we be able to raise the functional level of the forest with the tombstone there?
2. If we can, will this have any impact in the long run, or will it just remain a tombstone until it is found?
3. If we can't, is there a workaround to get the functional level raised while the tombstone is still there?
4. Is there any quick way to find either the name, IP address or even the GUID of the device that is causing these EventID's?

Any assistance would be greatly appreciated as I've tried everything I could possibly think of and have been researching and trying different tools for over two weeks now.

Hi All,

I have a question concerning whether or not ADFS will work for this situation or if it is even capable of doing this.

Currently, I have a ADFS 2.0 environment that is only used for O365 authentication for Lync and Exchange.  I do a Directory Synch and also run a Hybrid Exchange server for the Exchange migration and admin usage.

We would like to extend the ADFS environment to the Claims Aware application side and the DEV group has created a Claims Aware Application that successfully authenticates to the Test ADFS environment.  Therefore we feel we would be able to add this to the existing ADFS environment and it would be able to service both O365 and the Application.

We have another Forest and Domain full of users that we would like to use the current ADFS environment for as they would be accessing the same Claims Aware application and this is where the problem lies.  There is not a ADFS setup in this other forest and domain.

Would we be able to add the second Forest to the existing ADFS environment and use it as a Attribute store similar to the Active Directory?  Can this be done through a straight LDAP connection and will ADFS be able to setup a Federation trust to this second forest?

We were trying to avoid having to manage two separate ADFS environments if possible.

If it is possible, is there any documentation or guidance on it.  Only thing I could find was adding top level domain support through a hotfix but it was directed to O365 specific. 

Thank you in advance