Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Remote WMI using Non Admin credentials not working.

July 9, 2014, 6:59 am
$
0
0

ComputerA and ComputerB is part of my domain. ComputerA's logged on User is Alice and ComputerB's logged on User is Bob. I am using the following script from here to get process information of ComputerB form ComputerA.

strComputer = "ComputerB" 
strDomain = "DOMAIN" 
strUser = "Bob" 
strPassword = "dummyPassword"

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer(strComputer, _"root\cimv2", _
     strUser, _
     strPassword, _"MS_409", _"ntlmdomain:" + strDomain)
Set colSwbemObjectSet = _
    objSWbemServices.ExecQuery("Select * From Win32_Process")
For Each objProcess in colSWbemObjectSet
    Wscript.Echo "Process Name: " & objProcess.Name 
Next

I am getting access denied error with the error code '0x80070005'. When I use my domain administrator credentials as strUser and strPassword it works fine. But I want to run it from non admin user. I have set appropriate permissions for DCOM in both the machines,and for WMI through the WMI control in AD for both Users as mentioned here.

A thing is when i ran the script in the Admin user account in the AD with strUser and strPassword as Bob's credentials it works fine. But in Alice machine Bob's credentials not working and Administrator credentials works fine.

What am I missing?


Search

Event ID 2843 and 1435 with The Knowledge Consistency Checker

July 9, 2014, 7:17 am
$
0
0

Dears,

 If I test replication to read-only domain controller , it shows me successful but after every 15 minutes I can see that 2 events are being logged in Directory Service Logs

 Event ID :  2843 with error

 The Knowledge Consistency Checker was unable to locate a replication connection for the read-only local directory service. A replication connection with the following option must exist in the forest for correct FRS system behavior.

Additional Data

Option:

64

User Action

Restore the original replication connection for the local directory service instance on a writable directory service instance.

Event ID : 1435 with warning

The Knowledge Consistency Checker (KCC) encountered an unexpected error while performing an Active Directory Domain Services operation.

Operation type:

KccSearch

Object distinguished name:

The operation will be retried at the next KCC interval.

Additional Data

Error value:

0 No Error.

Internal ID:

f04079c

but it seems I have problem with Group policies on client.any idea to solve this issue.

Usman Ghani - MCITP Exchange 2010

Modify application partition object (root) in ADLDS

June 27, 2014, 3:05 am
$
0
0

I am not able to modify application partition (root object) in ADLDS instance.

In our directory we need one objectClass and its attributes in application partition (root) object.  When I try to add this objectClass (simple modify command) it is throwing an error (Code 65-ObjectClasss violation), the same class was added in old directory (Sun ONE Directory Server).

The require objectClass and its attributes are available in ADLDS schema. Here are modify operation:

dn: O=Company.com
changetype: modify
add: objectClass
objectClass: xyzObjectClasss
-

"The trust relationship between this workstation and the primary domain failed"

March 1, 2012, 2:21 am
$
0
0

I have one DC with Windows server 2008 R2 name abc.com

and one of my Domain Member 2008R2 name Client1.abc.com is connected to this domain, when i tried to login on thatClient1.abc.com with this credential abc.com\administrator

 i get the following error "The trust relationship between this workstation and the primary domain failed" ,i cannot rejoin this machine on this domain because of this machine is Sharepoint hosted server, so what will the good solution for this please help me 

Sanjibk MCSE

AD FS Windows 2012 R2: adfssrv hangs in starting mode

October 17, 2013, 6:52 am
$
0
0

Does anyone has the same issue. Installed and configured ADFS with service account. After a server reboot service cannot start anymore and it always stay in "starting" state.

Unfortunately nothing in a log and no Windows Updates for 2012 R2 yet... many holes like Swiss cheese.

Thanks!

Difficulty delegating account unlock rights to users in a trusted domain

July 9, 2014, 9:00 am
$
0
0

I am trying to delegate rights to unlock accounts in domainA to users in domainB. For some reason, domainB cannot see that the users have been granted rights, and we're getting access denied errors when users in domainB attempt to unlock accounts in domainA.

Configuration is as follows:

  • domainA has an OU called Account Resources.
  • I've delegated Read All Properties, Write Lockout Time and Read/Write User Account Control rights for the OU Account Resources to a Domain Local group named domainA\OU-Account Resources_LoginAssist.
  • User domainB\helpdesk is a member of domainA\OU-Account Resources_loginAssist

Symptoms:

  • Checking effective permissions of a user in domainA while logged in to domainA shows that the user domainB\helpdesk has all of the delegated permissions, and should be able to unlock accounts successfully.
  • Checking effective permissions of a user in domainA while logged into domainB shows that the user domainB\helpdeskdoes not have the delegated permissions, and should not be able to unlock accounts.
  • Actually attempting to unlock an account under the delegated OU while logged in as user domainb\helpdesk fails.

Notes:

  • I've tested this scenario in a lab environment and the delegation works as expected.
  • Delegating access directly to domainb\helpdesk appears to work as expected.
  • The configuration had been working for a period of time. It stopped working at some point over the last week.
  • Similar delegation from a second domain seems to have failed at the same time.

NTDS Replication - Active Directory encountered a write conflict

July 9, 2014, 1:06 pm
$
0
0 
HI,
Active Directory encountered a write conflict when applying replicated changes to the following object. 
Object: 
CN=Administrator,OU=Admin,OU=CGL,DC=cgl,DC=local

This seemed to have started when the Administrator Account got locked out some how, it has since been unlocked and hasn't been locked again since.

I have moved the Administrator to a different OU and run repadmin /syncall which seemed successful but shortly afterwards the error logs started appearing again.

I run Ldp.exe and searched under the OU Admin to see if there were duplicate records but only one was found.

Has anyone got any other suggestions? I've tried all the solutions and rebooted the server but still I get the attached in my event viewer... any other ideas anyone? Thanks

Thanks
Hakan

Good luck everyone.

corrupted database the reason the index

July 9, 2014, 4:41 pm
$
0
0

Hi there 

Due to sudden power outage I got my AD database corrupted, I am running DC on win server 2012 

and this is what contained in the log file 

Log Name:      Directory Service
Source:        NTDS ISAM
Date:          7/9/2014 4:12:01 PM
Event ID:      467
Task Category: Database Corruption
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC
Description:
NTDS (556) NTDSA: Database C:\Windows\NTDS\ntds.dit: Index INDEX_00020078 of table datatable is corrupted (0).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NTDS ISAM" />
    <EventID Qualifiers="0">467</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-07-09T23:12:01.000000000Z" />
    <EventRecordID>3204</EventRecordID>
    <Channel>Directory Service</Channel>
    <Computer>DC.training.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>NTDS</Data>
    <Data>556</Data>
    <Data>NTDSA: </Data>
    <Data>INDEX_00020078</Data>
    <Data>datatable</Data>
    <Data>C:\Windows\NTDS\ntds.dit</Data>
    <Data>0</Data>
  </EventData>
</Event>

Search

Hi, Can we use DBCS like chinese character in HOSTNAME.

July 4, 2014, 12:39 am
$
0
0
Can We use DBCS characters like Chinese characters in HOSTNAME

Port opening for Workplace Join on Windows Server 2012 R2

July 4, 2014, 7:33 am
$
0
0

Hello,

I have a adfs server, web server setup for testing workplace join on windows server 2012 R2.

Which are the ports to be enabled between client machine and the web server to test the feature?. And if at all any port between client and adfs server?

Thanks,

Nishanth

Verify ForestPrep, Domainprep & Rodcprep result-Powershell

February 24, 2014, 3:16 am

Group Policy

July 9, 2014, 9:56 pm
$
0
0

hi,

The scenerio is like i am having the 65 server and all are running windows server 2008 R2, my DC and ADC both are virtual machines. Now i need to implement the group policy to disable the storage device connected to the domain computers.

Please let's give and additional information if i need to allow only one port on one pc.

Regards, Ravi Kumar

LDAP query to port 389 failed

July 10, 2014, 12:57 am
$
0
0

Hi all,

I have a total of 3 DC in my environment. Replication from DC1(Server 2003) to DC2(Server 2003) no problem. But from DC1 to DC3(Server 2008 r2) i am facing some problem.

I did some network test using portqry(DC1 to DC3) and found out that this port UDP 389 is not working on DC3.

Error msg: LDAP query to port 389 failed. Server did not respond to LDAP query.

My network engineer has confirm that no firewall rules is blocking this port. Windows firewall is also disable.

Other ports that is relevant to AD replication is working fine.

I also did a portqry locally on DC3 and got a successful LDAP response.

May i know what other possibility can cause this port to fail?

Thanks you

Certificate Authority w/ NDES-SCEP

June 16, 2011, 9:55 am
$
0
0

Hello,

I am embarking on a project that I would like to get some feedback on.

We are in the process of implementing iPhones into our network. The iPhone is going to run a VPN. Most likely, we will run the Anyconnect VPN client. I have this and it is working fine.

However, we have to manually connect to the VPN, put in the domain password, and connect before we can check our email. This is cumbersome. So, I am trying to use certificate based authentication and the iPhones “connect on demand” feature.

I have read about a number of people using a Windows Server and running Certificate Services & Network Device Enrollment Service. This uses a protocol called SCEP – Simple Certificate Enrollment Protocol. The idea is that the iPhone would be issued a certificate by the windows server. Then, when it went to connect to the VPN, it would present the certificate as credentials to the ASA. The ASA would send the certificate to the windows server and the windows server would tell the ASA if it’s good. If the windows server said it was good, the ASA would then allow the VPN to connect.

I have the Certificate Authority (windows server 2008 R2) installed and running. However, I am encountering some trouble getting the iPhone to get the certificate from it.

I have read a number of white papers and forum postings from Microsoft, Cisco, and Apple. Some indications are that it’s feasible, but I am crossing a lot of technologies that are new to me and I am not sure if I am working uphill or what.

My questions are…

1). Is this is known configuration? Have you seen this configuration before? Was it successful?

2). Does this sound feasible? Is there a more feasible way to provide VPN connectivity? The goal is to open the VPN from the phone when they open the email application, without having any user interaction.

3). Within the Microsoft Certificate Services server, am I going to be able to manage the certificates individually and identify jim’s certificate separate from sally’s certificate? Or, sally’s iphone certificate separately from sally’s ipad certificate? Also, what is made to prevent anyone from enrolling a device with the server?

4). Do you know of any good documentation on this? I have read a number of articles and white papers. But, for some reason, there still seems to be something lacking. Seems like all the established documentation only addresses one aspect of this.

At any rate, any comments or suggestions in regards to the above would be much appreciated. I appreciate that this is a Microsoft forum. So, I don't expect much commentary in regards to the Cisco / Apple side of this. But, whatever you can conribute from the windows server perspective would be great.

 

UserAccountControl flag now set as 544

February 4, 2011, 2:06 pm
$
0
0

Whilst fixing another problem today I have started to notice that the UserAccountControl flag on 4 or 5 user accounts have changed from being 512 to 544 (PASSWD_NOTREQD).  I have 2 questions:

1) How has the flag set itself to 544?

2) Is this anything to be concerned about?

Cheers

Adam.

Search

Zone transfers for _site, _tcp, etc. on Server 2012

July 8, 2014, 9:45 am
$
0
0

In our corp, we use BIND for DNS and make things work by having zone transfers set up for the top level forward lookup zones in Server 2008, as follows:

Windows Server 2008

  • Forward Lookup Zones
  • * _msdcs
  • * _sites
  • * _tcp
  • * _udp
  • * DomainDNSZones

Server 2012 organizes things as follows, with _sites, _tcp, etc. being subdomains of the AD domain root:

Windows Server 2012 R2

  • Forward Lookup Zones
  • * _msdcs
  • * domain.example.com
  • ** _sites
  • ** _tcp
  • ** _udp
  • ** DomainDNSZones
  • ** ForestDnsZones

Zone transfers work fine at the top level, but we would like to not transfer the entire domain root, just the services. I have tried deleting/recreating, etc., but I can't figure out an option. Is this still possible and how might we do it?

Thanks.

Secondary Server 2012 R2 DC missing SYSVOL and NETLOGON

July 10, 2014, 11:38 am
$
0
0

We are supporting a small office with an existing Server 2012 Standard DC.  Yesterday I installed a secondary Server 2012 R2 and configured it as a secondary DC.  The promotion went fine without any errors; however after the reboot the SYSVOL and NETLOGON shares do not appear.  The DFS Replication event logs show the following after rebooting both servers:

The DFS Replication service successfully established an inbound connection with partner HCAPSRVR2 for replication group Domain System Volume.
 
Additional Information:
Connection Address Used: HCAPSRVR2.DC.HCAPSRVR2
Connection ID: 6257418B-2FEC-43BA-A9B2-DF16376C1486
Replication Group ID: 001EB651-3C9A-48B6-83EC-51672C075199

This event was logged last night and nothing has shown up since then.  I ran a dcdiag on the new DC and it shows this:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = HCAPSRVR3

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\HCAPSRVR3

      Starting test: Connectivity

         ......................... HCAPSRVR3 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\HCAPSRVR3

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\HCAPSRVR2.DC.HCAPSRVR2, when we were trying to reach HCAPSRVR3.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... HCAPSRVR3 failed test Advertising

      Starting test: FrsEvent

         ......................... HCAPSRVR3 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... HCAPSRVR3 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... HCAPSRVR3 passed test SysVolCheck

      Starting test: KccEvent

         ......................... HCAPSRVR3 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... HCAPSRVR3 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... HCAPSRVR3 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... HCAPSRVR3 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\HCAPSRVR3\netlogon)

         [HCAPSRVR3] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... HCAPSRVR3 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... HCAPSRVR3 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,HCAPSRVR3] DsReplicaGetInfo(PENDING_OPS, NULL)

         failed, error 0x2105 "Replication access was denied."

         ......................... HCAPSRVR3 failed test Replications

      Starting test: RidManager

         ......................... HCAPSRVR3 passed test RidManager

      Starting test: Services

            Could not open NTDS Service on HCAPSRVR3, error 0x5

            "Access is denied."

         ......................... HCAPSRVR3 failed test Services

      Starting test: SystemLog

         ......................... HCAPSRVR3 passed test SystemLog

      Starting test: VerifyReferences

         ......................... HCAPSRVR3 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

Yesterday I demoted the DC and then tried to promote it again, same result.  I also tried going into adsiedit and following these steps:

http://kpytko.pl/2013/12/12/non-authoritative-sysvol-restore-dfs-r/

  Any pointers would be greatly appreciated. 

K Haroldsen

Upgrade Windows Server 2003 standard sp2 File and Print server to Windows server 2008

July 6, 2014, 3:29 pm
$
0
0
I have a windows 2003 sp2 as a File and Print server.  and I would like to upgrade this server to windows 2008 (32 bit).  Will all the permission and printer be unchanged after the upgrade?  Please help me the steps to perform this task. 

Windows Server 2008 R2 AD Recycle Bin and Active Directory Administrative Center

February 28, 2012, 9:08 am
$
0
0

I've read in multiple posts that when you enable the Windows Server 2008 R2 Active Directory Recycle Bin, that the "Deleted Objects" container will show up in Active Directory Administrative Center.  I followed the proceedure to enable the recycle bin, and I can verify that it is indeed enabled, but I do not see the "Deleted Objects" container in the AD Administrative Center application.

Can anyone assist with getting that to show up?

Thanks

One way AD replication

July 10, 2014, 8:23 am
$
0
0

I need to set up a test environment within an existing AD infrastructure. I want my test DC to replicate data from other domain controllers but never to sync any changes with the remaining servers. I will be testing some GPOs and they may mess up my domain if they replicate to the AD. 

Does any one know a way to do it? I will be modifying some general GPOs and a separate GP OU will not allow me to test all the solutions I want to.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>