Hi All,

         This issue has been hanging around our environment for a while but for the life of me I cannot figure out how to fix it.

Symptoms:

I have a a group of users that I have delegated Active Directory administration rights to (create,delete,password reset etc) and on the whole it is OK and they have no problem. However there are certain accounts that when a delegated user tries to change memberships or reset password they get "Access Denied" but if I log on as my domain admin account and copy the user that has the issue then the delegated user tries editing the account everything is fine. In addition the delegated users cannot reset their password or change their own properties but can on the newly created and copied accounts.

I am just at a loss. I have have tried re-applying the delegation again and again but it has made no difference. I should also point out that the higher domain admins have no issues.

Any pointers would be greatly appreciated.

Tone..

Hi,

I am new to ADFS area but I have managed to  configured ADFS on windows server 2012 R2 standard edition. I am trying to configure SAML based authentication for SharePoint 2013. I dont want to use Active directory but ASp.net membership provider database as authentication provider.

Authentication failed for sql database users

I get two even ids in event viewer, 364 and 342.

Error details for 364

Exception details: 
Microsoft.IdentityServer.AuthenticationFailedException: test2@test.com-The user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: test2@test.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.IdentityModel.Tokens.SecurityTokenValidationException: test2@test.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

Error details for 342:

Token validation failed.  

Additional Data 

Token Type: 
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName 
%Error message: 
test2@test.com-The user name or password is incorrect 

Exception details: 
System.IdentityModel.Tokens.SecurityTokenValidationException: test2@test.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

I have been struggling with this error since last 2 days.

thanks

alex

Hi,

We have a Java Based application which is required to be authenticated using Active Directory. We have got the requirement from the application team to generate a keytab file for the server Principal name which should be mapped to Domain User account.

I am not very much aware as to why the KeyTab files are used and what these files do. Also I am not aware what is the security implication if this file is compromised.

Also they were asking the KVNO for the user account. I understand what KVNO's are and how those are changed but how can I check the KVNO for the user account in AD database.

Hello,

When I create a user's home directory by using ADUC (adding the path in the profile tab) the resulting directory on my netapp filer has the netapp's local administrator group having full access.

If I browse to the share and create a new folder this does not happen, the local adminstrator group is not added.

Why does ADUC add the system's Local Administrator group and can this behavior be changed?

Much Thanks,

Doug

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

I have a machine that was incorrectly moved from a domain to a workgroup. I'm now trying to get it back in to the domain but unable to join. Every time I try to change back to "<mydomain>.com" I get prompted for username/pw and then after about 3-10 seconds I get error message with detail of "The target account name is incorrect"

Domain has 4 DNS servers and 3 AD DCs. 

IPConfig /all from client machine is:

I found any machine accounts for this machine name and deleted them. I also confirmed all clocks are in sync across all DCs. Checked DNS records and found 4 with "Same Name as Parent Folder" NS pointing to my 4 DNS hosts. There is only one SOA"Same Name as Parent Folder" record and that points to the hostname for machine with IP of 10.0.0.3. 

On that machine, the IP Config is:

Nothing is working? Any ideas? How can I get this machine back on the domain? 

Could someone please sanity check this task sequence?  I need to upgrade a 2003 domain to 2012 R2 and would appreciate a second set of eyes.  thx.

Goal:

1. standup two new 2012 R2 DCs

2. decomm three old DCs

3. raise DFL/FFL to 2012 R2

Current DFL/FFL = 2003 (one site, one domain, 3 DCs, 400 users)

3 Existing DCs (all to be decommed):

  OldDC1 = Svr2003 Std Ed SP2 x64 (holds all FSMO roles, GC=yes)
  OldDC2 = Svr2003 Ent Ed SP1 x86 (holds no FSMO roles, GC=yes)
  OldDC3 = Svr2003 Std Ed SP2 x64 (holds no FSMO roles, GC=no)

New DCs to be added:

  NewDC1 Svr2012 R2
  NewDC2 Svr2012 R2

Proposed task Sequence:

* build and patch OS, then add ADDS role to NewDC1 and NewDC2 (do not yet add servers to existing domain)

* in the network config of new DCs, set the DNS server IP to the IP of OldDC1

* when installing ADDS, I will be prompted to run Adprep.exe - it will be run as part of installing ADDS - this will update existing domain schema as needed.

* add NewDC1 and NewDC2 to existing domain

* in the network config of the new DCs, set the DNS server IP to that of the local server

* make both GCs, make both DNS servers

* distribute FSMO roles thusly:

* DC1 = PDCE, RID (more frequently used roles)

* DC2 = SM, DNM, IM (rarely used roles)

* run dcdiag.exe commands to verify functionality

* power off OldDCs one at a time, waiting 24 hours between each shut down

* raise DFL/FFL to 2012 R2 after all old DCs are decommed

Hello,

We have 3 Sites (eg. A, B, C) which Im told can all connect/talk to the others from a physical network perspective.

So is the Site-Link config for these Sites as follows:

1. A-B

2. A-C

3. B-C

Thanks for your help! SdeDot

I installed RSAT tools on a Windows 7 VM. Every time I open Active Directory it connects to the DC that is geographically the farthest away -- across the country!!! MAKES SOOOOOOOOO MUCH SENSE. How can I configure the snap-in to connect to something more practical? Like the DC on the same network as the RSAT management computer?? Getting livid by the fact I need to google simple things like this lately...........

OK. I reluctantly went to GOOGLE again and found this: http://support.microsoft.com/kb/214676.

;adlkjfalkdjfkqa;lgakfnddk,mv asgvz

sd'fgfsd;g nslrdkjgnlskfjdbz 'fd

vsdf

sdf sdf sdf;gb s

df

AHHHHHHHHHHHHHHHHhhh!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

so we currently have three domain controllers set up, two of them on 2012r2 and one of them on 2008r2. prior to any of these domain controllers being added to the domain there was only one, running on 2003r2. the 2003r2 server was up and running when the first 2012r2 was added and that's when running 'dcdiag /e /c /v' would yield an issue with "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local" in the DNS portion of the diagnostics, specifically:

               TEST: Records registration (RReg)
                  Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
                     Error:
                     Missing SRV record at DNS server 192.168.22.4:
                     _ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local

after adding the second 2012r2 to the domain, this issue is still there... adding the 2008r2 server to the domain and running BPA it gives the following:

Title:
This domain controller must register a DNS SRV resource record, which is required for replication to function correctly

Severity:
Error

Date:
7/3/2014 11:24:48 AM

Category:
Configuration

Issue:
The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record.

Impact:
Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.

Resolution:
Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS service (SRV) resource record "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.chiefmedia.local", pointing to the local domain controller "CM-DC4-NY01.cmedia.local", is registered in DNS.

More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=126968

I've tried scanning and then re-scanning every single entry in DNS Manager and do not see any reference to this specific GUID mentioned, nor do I see any other domain controllers referenced that should not be in there. The two 2012r2 and the 2008r2 domain controllers are the only ones listed in DNS Manager... the 2003r2 mentioned earlier failed and was removed.

I am unable to remove a dc from a child domain in AD as I am getting this error:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=child,DC=parent,DC=root,DC=com to
Active Directory Domain Controller \\servername

"The naming context could not be found."

I have followed the instructions in this article (http://blogs.technet.com/b/the_9z_by_chris_davis/archive/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read.aspx) and sure enough there is an old decommissioned server listed as the fsmo owner of domaindnszones. So I am trying to run the fixfsmo.vbs script to fix this. However, I cannot get it to run. Every time I get the error:

C:\fixfsmo.vbs(19, 5) (null): The specified domain either does not exist or could not be contacted.

I am currently logged on to the infrastructure master for this domain and I am using the syntax: cscript fixfsmo.vbs dc=domaindnszones,dc=domain,dc=parent,dc=root,dc=com

I am able to browse this partition in both ADSI Edit and DNS so I am completely stuck as to why it is unable to see the domain. I have tried logging on as a domain admin in the child domain and an enterprise admin from the root domain but neither seems to work.

Any help would be appreciated!

I am not able to modify application partition (root object) in ADLDS instance.

In our directory we need one objectClass and its attributes in application partition (root) object.  When I try to add this objectClass (simple modify command) it is throwing an error (Code 65-ObjectClasss violation), the same class was added in old directory (Sun ONE Directory Server).

The require objectClass and its attributes are available in ADLDS schema. Here are modify operation:

we are in process of migrating / consolidating 14 forests into one forest. these 14 forests are resultant of acquisitions and below are the high level plan I am articulating before using ADMT to do actual migration

<assumption> : I am aware of the site structure of 14 forests

a) select a parent forest ( eg: xyz.com ) for consolidation / migration

b) plan the namespace carefully for all the 14 forests

c) I would either create new domain for 14 forests ( depends on customer need of data isolation ) or I would install Domain controllers in those 14 forest sites and use xyz.com namespace.

d) after step3 I will have xyz.com domain controllers in all 14 forests and will establish external trust between 14 forests to xyz.com forest and migrate accounts / groups using ADMT or Quest tool

e) Most of customer applications / servers ( eg: Citrix / VMware ) which are using previous namespace will have to be reconfigured / rejoined to new namespace

f) demote the FSMO roles / entire active directory infrastructure of 14 forests

g) test

any comments / suggestions / advices on above approach will be greatly appreciated :)

we are having issues where our DC is intermittently not able to resolve a external  host record which is normally resolved through a forwarder configured on the DC. it keeps failing for about 15 mins and then works fine after that.

Could any one please shed light on what could be causing this issue and how to get it fixed?

Hi,

Is it possible to introduce a Windows Server 2012 R2 RODC into a Windows Server 2003 environment? All DCs are Windows Server 2003 R2 SP2 and the FFL and DFL are 2003.

I know it is possible to prepare the 2003 forest/domain, introduce a Windows Server 2008 R2 writable DC and then install an RODC.

My question is can this process apply to server 2012 R2?

So can I prepare the 2003 Schema Master with the 2012 R2 ADPREP command, install a writable 2012 R2 DC and then a 2012 R2 RODC?

Im guessing its possible but would it be supported?

Any help is appreciated.

It is my understanding that when a user account is deleted in AD an event should be generated with ID 4726 (assuming you have auditing enabled), however in my company this does not appear to be the case, and i'm wondering why. I just tested this after being unable to track down a user deletion earlier. When i delete a user account, the only event generated is 5141 (Directory Service Change). Am i missing something here? I have "Audit Account Management" set to success and failure. Everywhere i read online tells me a 4726 event should be generated but it is not.

Any help is greatly appreciated.

if a user modifies an object in AD how do you audit that?  We had some computer accounts deleted and no one will admit to it so I want to know in the future how to prove who did this.

mqh7