Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Create a new domain tree root

August 5, 2014, 2:32 am
$
0
0

I need to add a new domain to my existing forest. my current forest and the domain controllers are Win 2003. however the new domain server that i wish to join is Win 2008 R2.

when i run Dcpromo in the Win 2008 R2 server and select the below options

1. Create a new domain in  a existing forest.

2. Create a new domain tree root instead of new child domain.

i am prompted to select the Domain functional level, Now my question is:

1. Can i select Win 2008 R2 and continue.

2. is this the right way to add an additional domain or do i need to migrate from win2003 AD to Win 2008 AD first?

Search

Limit server notifications to Create/Update/Delete users only (using control LDAP_SERVER_NOTIFICATION_OID - 1.2.840.113556.1.4.528)

August 5, 2014, 5:44 am
$
0
0
We are developing an Active Directory LDAP client in Java.

We are using LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528) control for receiving notification from Active Directory server, and we are successfully receiving and processing these notifications.

But, the problem is that AD server sends notifications for events other than user creation/updation/deletion as well.

e.g., when an Admin user logs on to the AD server, we receive a notification (with uSNChanged not updated).

Is there any option, control or configuration which can help us in limiting the server notifications to only user creation/updation/deletion only?

Kamal Singh Negi



Handle Count Larger Than 10,000

July 31, 2014, 10:57 am
$
0
0

We recently has a ADRaaS run in our environment, some of our domain controllers have been reported to have a "Handle Count Larger Than 10,000. What does this mean and what is the impact of this value being at 10k? What is the recommended value?

Why do I see replication latency of several days despite there being no replication errors?

August 5, 2014, 3:26 pm
$
0
0

Hello All,

Why is repadmin /showvector /latency showing latency of several days for the root domain partition to child domain controllers outside the main site?

Repadmin /replsummary * shows 0 errors and all deltas within 30 minutes. Inter-site transports has only one IP site link, with a 15 minute replication interval, and all sites are on this link (they are all in one physical campus).

I understand that by default only the configuration and schema partitions get synchronized between a root domain and a child domain, but then:

1. Why do any child domain controllers show replication of this root domain partition in output of repadmin /showvector? Is this evidence of global catalog replication?

2. Why do I see up-to-date replication of this same partition between the root and the child domain controllers that are on the same site as the root DCs, while the replication between the root and the child domain controllers outside the main site are showing a latency of 10 days at this point.

3. Why do the results of repadmin /showvector appear inconsistent with repadmin /showrepl * (latency vs last successful time)? I presume they are actually reporting different data, but what exactly is different about them (aside from /showrepl * showing all partitions/naming contexts)?

I'm guessing that I'm just ignorant of some normal behavior or detail here, but I figured I would ask anyway since I haven't been able to piece together a convincing answer yet.

Thanks in advance for any responses.

Fallen Primary DC with no Additional DC.

August 6, 2014, 12:21 am
$
0
0

Hi all,

i have Primary DC which was down for some technical issues. i followed many articles to re alive it but with no luck.

my main issue that the system administrator did not take any backup for Active Directory before, he took only full system backup. and my forest include many child, sites, with DC there.

Kindly please,

1- is there any way to retrieve my Primary DC with Active Directory from the system backup? ... How

2- or, if i rebuild the Primary DC, is there any way to reconnect the sites DC's to the Primary DC and replicate all active directory partitions form sites DC's to the Primary DC without losing any thing...How?

best regards,
Omar Qasem

Use child domain of public domain name for active directory

August 5, 2014, 11:39 pm
$
0
0

Hello,

we have a public DNS with domain name example.com

I want to create a private domain in my company. I create a new forest with domain name office.example.com

this private domain does not register in public DNS

when i use "nslookup" , i see a problem such as when lookup for microsoft.com the result is microsoft.com.example.com or when i lookup for example.com the result is example.com.example.com

when i lookup for any domain name such as google.com , yahoo.com or any thing results have example.com

How can i Resolve it?




DC - refuses administrator log on

January 14, 2014, 10:00 am
$
0
0

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

Ports and directions new domain

August 6, 2014, 2:55 am
$
0
0

Hi folks,

I'm currently setting up a new domain for our office, all hardware is located in our datacenter but I can't seem to find what direction the ports need to be configured for. More specific: datacenter <> office and/or datacenter > office, office > datacenter.

Who can help me with this?

Search

Active Directory Federation - SPN error

May 26, 2014, 5:25 am
$
0
0

  Hi,

  I am installing ADFS on  a Windows 2012 r2 server. I am following a Microsoft Document. I got a certificate error which was   my mistake. Now I have uninstalled and installed ADFS but I always get this error:

  An error occurred during an attempt to set the SPN for the Specified service account.

  Set the SPN for the service account manually. For more Information about settint the SPN of

  the service account manually, see the AD FS deployment Guide.  Error message: The SPN required for this Federation        Service is already set on another Active Directory account.

 Choose a different Fedration service name and try again"

 I tryed this.

 setspn -a host/devmsadfd01.dev.local FsGmsa
Checking domain DC=Dev,DC=local
CN=DEVMSADFD01,CN=Computers,DC=Dev,DC=local
TERMSRV/devmsadfd01.Dev.local
TERMSRV/DEVMSADFD01
WSMAN/devmsadfd01.Dev.local
WSMAN/devmsadfd01
RestrictedKrbHost/DEVMSADFD01
HOST/DEVMSADFD01
RestrictedKrbHost/devmsadfd01.Dev.local
HOST/devmsadfd01.Dev.local
Duplicate SPN found, aborting operation!

 If I list 

 Get-ADServiceAccount -Filter {Name -like '*'}


DistinguishedName : CN=FsGmsa,CN=Managed Service Accounts,DC=Dev,DC=local
Enabled           : True
Name              : FsGmsa
ObjectClass       : msDS-GroupManagedServiceAccount
ObjectGUID        : 65e9d7a1-37c9-4b18-9f88-f53e6a1e5cf6
SamAccountName    : FsGmsa$
SID               : S-1-5-21-693966828-3219725666-2027041104-1252
UserPrincipalName : 

I am using this Account as AD FS user.

Any Ideas?

pls adv.

Erró

COMO hacer un query especifico

August 5, 2014, 6:09 pm
$
0
0

Quisiera saber como hacer un query para saber a que grupo pertenece cada usuario que tengo agregados en mi LDAP.

IDMU in Server 2008 Suddenly unresponsive

August 6, 2014, 8:56 pm
$
0
0

We are running Identity Management Services for UNIX on Windows Server 2008 SP2 with one Windows Master and one Windows subordinate.  After working for over two years, our NIS domain is suddenly unable to authenticate users on any of our Linux/UNIX boxes.  Restarting services did not help.  Looking at Event Viewer or c:\Windows\idmu\logs yielded no information. 

I did not setup our NIS configuration and in fact my knowledge of NIS is rather slim.  What I do know is that the IDMU configuration had not been touched for many months up until this point.  I did try at one point to get NFS file sharing on a separate 2008 R2 server to authenticate using the NIS domain hosted on these boxes.  That also was several weeks prior to this breakdown. 

Here are the only potential problem indicators I can see:

1)  Use of the ypcat commands sometimes displays the appropriate information and sometimes returns the error "NIS Service is not running on the host '<servername>' in domain '<domainname>' - it's as though the Server for NIS is constantly starting and stopping, but no such activity is recorded in Event Viewer, no entries for Server for NIS starting and stopping are recorded unless I manually turn it off and on.

1a)  Likewise, Linux and UNIX servers that run the ypwhich will attempt to contact the appropriate server and will sometimes get a response back and sometimes will not get a response.  (I think that's the command - again, my knowledge of NIS and these commands is minimal)

2)  In ADSI editor I duplicate container entries for defaultMigrationContainer30 and ypserv30 that have the objectGUID tacked onto the container name like so:

CN=defaultMigrationContainer30CNF:2bedf883-f6b4-4650-a2fa-cddf7d03dcdc

CN=ypServ30CNF:be1e659e-9fbc-4daf-9d98-c0e63a8ad4d4

Having said all that, my first question is obvious:  Can anyone shed some light as to what might have happened?  Secondly, are those duplicate containers safe to flat-out delete through ADSI edit?

User profile service is error in Win7!!!

July 31, 2014, 1:04 am
$
0
0

Hi everybody,

Currently, I meet a problem that has been not solved

I need your help to solve it

[State]

- We have 2 Site, Japan is Headquater site and Domain controller places here; Vietnam is remote Site

- All PCs in VN site have joined Japan DC

[Problem]

In VN site, We met error when login PC:

- Currently, Some PCs cannot login with any user account, It appears: User profile service failed to Logon...

- Other User account that Logon successful before is still logon normally => That mean, this error has appeared recently

Please give me the cause and solution

Thanks for your help!!!

Cannot Replicate after upgrading domain functional level

August 6, 2014, 1:59 am
$
0
0

Hello, 

Parent and child domain. Parent domain (forest) still in domain functional level 2003. However, child domain i just updated to domain functional level 2008 R2. Now replication is not working. I believe the issue is dns, but i do not know what could be different the names have not changed? This is a two way transitive trust between domains.

Frequent messages from dcdiag dns, are 

no DNS RPC connectivity (although i have tried restarting dcom, netbios and frs)

Also in event viewer many 13508 errors

Any help is greatly appreciated thank you.


RPC 1024 - 65535 and TCP 135

August 6, 2014, 8:52 pm
$
0
0

I have been finding conflicting information. I hope someone can clarify.

TCP 135 is the End Point Mapper that can allow a Domain Controller to Replicate with another Domain Controller using TCP over 49152–6553 OK, I get that. But some say clients must also use those high ports back to the Domain Controller as well.

My question is what for? Does it use the high ports for all Domain services? I would not think so since they are defined, such as Kerberos (88). According to Wikipedia: The range 49152–65535 (2<sup>15</sup>+2<sup>14</sup> to 2<sup>16</sup>−1)—above the registered ports—contains dynamic or private ports that cannot be registered with IANA.<sup class="reference" id="cite_ref-162">[162]</sup> This range is used for custom or temporary purposes and for automatic allocation of ephemeral ports.

I would assume then, for AD services they have been reserved, but you may have a client that runs a certain program\service that may need to talk to the AD controller for something like LDAP to verify a username, it may use TCP 135 to ask for a short term (ephemeral) port to use for this, do what it needs to do, then close the connection.


Problem replacing computers using the old computer account

August 6, 2014, 4:21 pm
$
0
0

We are running a 2008 R2 domain with Win7 workstations.  We are currently removing our PC Technicians from the built-in Account Operators groups and adding them to a new security group called Computer Operators.  Computer Operators group does have permissions to create/delete computer accounts & read/list/write permissions on the different OUs for computers.  Our PC Technicians have always been able to rebuild a computer without deleting the old computer account, and that was a lot faster for them.  Now that that are no longer Account Operators they are being forced to delete the computer account(on a DC in their site), wait for AD replication for some reason, and then they can join the new computer to the domain with the old name.  If they do not delete the computer account first, they get the message

"The join operation was not successful.  This could be because an existing computer account have name "ComputerXXX" was previously created using a different set of credentials...

Is there anyway I can change it so they can do this like the other Account Operators can?  Also, not sure why they are needing replication as I confirmed they are connected in ADUC to their site when deleting the account and that the new computers are also in their sites.  Does that deletion/creation have to go through the RID master or something like that?

Thanks

Dan Heim


Search

Permission issue in AD

August 6, 2014, 3:56 pm
$
0
0

Hi All,

I need to provide access to helpdesk team to reset the password and change the password in AD.

I tried adding account operators builtin group to help desk security group which I created and even I delegated the permission also they are getting error as access denied.

Can some one tell me what is the issue. If I add to domain admin group within 1 min they will get the access to reset the password. I dont want to provide the domain admin permission.

Thanks

Add a child or sub domain for win8/Office365 support

August 6, 2014, 12:12 pm
$
0
0

We have a single Windows Server 2008 set up.

It was set up internally as: company.com but we do not own company.com, our domain is company-usa.com.

This has not been a problem, except now we are adding Windows 8 devices and Office 365, which want to use company-usa.com as login, but I cannot add these users to active directory.

I would rather not rename the internal domain - I'm sure that would cause both server and client issues.

I was thinking I could just create a child or sub-domain company-usa.com and then add the users to it.

Is there a better way?

Do I add a child or sub-domain?

2008 R2 Replication Problem

August 6, 2014, 10:12 am
$
0
0

Over the weekend I had to replace one of our 43 domain controllers. Pretty standard practice of demoting the old one, waiting for replication and so on.

For the second time in a month I noticed a problem. The DC I demoted was one of two in a site. I demoted it and the other DC in the site saw the demotion. However it never replicated to anywhere else, even after 2.5 hours. (We have 15 minute replication).

I looked and the remaining DC has a replication setup (auto generated) to one of the servers in our main site and it would not replicate even when I selected to replicate now.

I saw this a few weeks ago when I replaced a DC in the main site, the other four in the site saw the change but the replication never left the site for 3 hours in that case.

I ran commands to check replication and all seemed fine.

I never have a problem when I demote the only DC in a site, it replicates out right away to all DCs, only sites that have more than one DC have a significant delay or don't replicate at all.

Does anyone know things to look for when all the replication tools show no problems but something like this happens?


autologoff users from workstations through GPO or anyother way

August 6, 2014, 10:51 am
$
0
0

Hi

I need to logoff most of users from workstations after 5 PM .

How can I achieve it through GPO and other thing like script..


Possible error with Active directory with BIND DNS

July 10, 2013, 7:44 am
$
0
0

We recently in the process of upgrading our Domain Controllers from 2008 to 2008r2. I haven't had any errors in event view but in "Best Practices Analyzer" I receive the error:

"Issue:

The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses (IP address of DNS server).

Impact:
Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.

Resolution:
Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain."

I am aware there are problems with 2008r2 working with older versions of Bind 9.2.2 (we are running bind-9.5.0-26.b3). Everything seems to be working on the dns side. 

With no specific event error in event viewer, I'm not sure the of the next step.

Any ideas?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>