Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

The security database on the server does not have a computer account for this workstation trust relationship - servicePrincipalName empty

$
0
0

Hi

i've a remote site (with firewall with HQ)  where Computer are added to my domain. Computer account is well created but when i restart and login, i've the following message (samed after disjoin and rejoin computer, never add prblem with oter computers in my HQ):

The security database on the server does not have a computer account for this workstation trust relationship

> in ADSIEDIT, servicePrincipalName is empty and i dont undernstand why
> I join workstation with a Domain Admins Account
> I ve test port with PortQuery / Domains and Trus and everything is fine 

Thanks for your help


Unable to change domain logon password from Windows 8.1 system

$
0
0

We are facing a new problem in our domain. Users working on windows 8.1 platform are not able to change the password and getting an error "the security database on the server does not have a computer for this workstation". I tried deleting the computer from domain and rejoined to the domain but did not help.

We are running Windows 2008 standard 64 bit Domain Controller and Active Directory functional level is Windows Server 2003. Please help with a solution.

Problem replacing computers using the old computer account

$
0
0

We are running a 2008 R2 domain with Win7 workstations.  We are currently removing our PC Technicians from the built-in Account Operators groups and adding them to a new security group called Computer Operators.  Computer Operators group does have permissions to create/delete computer accounts & read/list/write permissions on the different OUs for computers.  Our PC Technicians have always been able to rebuild a computer without deleting the old computer account, and that was a lot faster for them.  Now that that are no longer Account Operators they are being forced to delete the computer account(on a DC in their site), wait for AD replication for some reason, and then they can join the new computer to the domain with the old name.  If they do not delete the computer account first, they get the message

"The join operation was not successful.  This could be because an existing computer account have name "ComputerXXX" was previously created using a different set of credentials...

Is there anyway I can change it so they can do this like the other Account Operators can?  Also, not sure why they are needing replication as I confirmed they are connected in ADUC to their site when deleting the account and that the new computers are also in their sites.  Does that deletion/creation have to go through the RID master or something like that?

Thanks


Dan Heim


2008 RC1 DC: DomainControllerAuthentication Certificate Request error

$
0
0

After installing a secondary domain controller (Windows 2008 Core RC1) in my existing domain (forest, domain functional levels: Windows 2003, root DC: Windows 2003 SP2), I keep getting the following errors in the new DC's event log:

 

Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate from internal.fqdn\CAName (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

 

Certificate enrollment for Local system failed to enroll for a DirectoryEmailReplication certificate from internal.fqdn\CAName (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

 

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

 

I have verified that the Domain Controller Certificate template provides Enroll, Autoenroll Allow permissions for "Domain Controllers" and "Enterprise Domain Controllers".


There are not any failed requests in the CA.

 

Domain Controller Certificate Template properties:
Certificate Purposes: Client Authentication, Server Authentication, Smart Card Logon
Include e-mail address: No
Public Key Usage List: Digital Signature, Key Encipherment
Public Key Usage Critical: No
Publish in Active Directory: No
Object identifier: 1.3.6.1.4.1.311.21.8.2326345.5972755.6701730.12454250.14293220.59.1.28
Subject type: Computer
Major version number: 110
Minor version number: 0

 

Any help will be appreciated.

 

YP

Why do I see replication latency of several days despite there being no replication errors?

$
0
0

Hello All,

Why is repadmin /showvector /latency showing latency of several days for the root domain partition to child domain controllers outside the main site?

Repadmin /replsummary * shows 0 errors and all deltas within 30 minutes. Inter-site transports has only one IP site link, with a 15 minute replication interval, and all sites are on this link (they are all in one physical campus).

I understand that by default only the configuration and schema partitions get synchronized between a root domain and a child domain, but then:

1. Why do any child domain controllers show replication of this root domain partition in output of repadmin /showvector? Is this evidence of global catalog replication?

2. Why do I see up-to-date replication of this same partition between the root and the child domain controllers that are on the same site as the root DCs, while the replication between the root and the child domain controllers outside the main site are showing a latency of 10 days at this point.

3. Why do the results of repadmin /showvector appear inconsistent with repadmin /showrepl * (latency vs last successful time)? I presume they are actually reporting different data, but what exactly is different about them (aside from /showrepl * showing all partitions/naming contexts)?

I'm guessing that I'm just ignorant of some normal behavior or detail here, but I figured I would ask anyway since I haven't been able to piece together a convincing answer yet.

Thanks in advance for any responses.

Domian Trust Issue

$
0
0

We are in the process of creating 2 domains. One is our old, and one is the new one we want to move everything to. I have the new domain created. I created a new domain, and a new forest; the old domain is a single label domain. I have everything setup, but when I try to establish the trust between the 2 domains, I am running into issues.

This is the error I receive when I try to validate the trust:

The secure channel (SC) verification on Active Directory Domain Controller \\AlostarDC1.Nexity of domain Nexity to domain alostar.local failed with error: The specified domain either does not exist or could not be contacted.

The secure channel (SC) reset on Active Directory Domain Controller \\AlostarDC1.Nexity of domain Nexity to domain alostar.local failed with error: The specified domain either does not exist or could not be contacted.

from the old single label domain I can ping the domain name of the new domain just fine, however I can't ping the single label domain from the new domain. I have added a conditional forwarder on the old domain for the new domain. I added the dc's in the old domain as name servers in the new domain. Not sure what's going on. Any help will be appreciated. Thanks!

"Authenticated Users" vs. "Users"

$
0
0

I'm setting up a profiles structure on a server starting with the master folder that'll house all the profile subfolders.  the default permissions on a newly created folder always has the admins and creator/owner and system accounts, but by default it also has Users.  Yet in some pre-existing installations I've come across I've seen Authenticated Users put there instead, so the admin must have had a reason. 

So the question is, what's the difference?  Since any domain user would have to authenticate to get into any resourcse anyway, is this not just the same thing?  What would be a scenario whereby you should use one over the other? 

Thanks! 


Disable domain join unless computer account has first been created

$
0
0
Anyone know if its possible to configure Active Directory so that a computer cannot be joined to the domain unless the computer account is first created manually

sidhistory from demised domain

$
0
0

hoping that somebody can give me a definitive answer..

I've been tasked with migrating from one domain to another.  However, i have discovered that the current domain has sidhistory present from a previous domain which was shutdown a couple of years ago.

Before I therefore start populating sidhistory into the new domain I should probably clean up sidhistory from the current domain to avoid taking two sets of sidhistory over to the new domain.

The thing that I would like to understand is whether the sidhistory held in the current domain serves any purpose given that the domain from which it all originated is dead, or whether the sidhistory remains functional if it has been configured on resources. i.e. can i simply delete all the sidhistory without risk of anything breaking, or do I need to plan the deletion of the sidhistory by checking all resources to see if it is in use and update ACLs accordingly.

many thanks in advance

Phil.


The current fsmo holder cannot be contacted - FSMO transfer between 2 dc (Windows 2012)

$
0
0

Hi, I faced with trouble while adding new domain controller. The situation is: I have only one dc (Windows Server 2012 trial, its name dc1.mydomain.com), it stops to work few days ago - and it is impossible to activate it. So I decided to build secondary domain controller based on correct Windows Server 2012 Standard (dc2.mydomain.com). All was done except one role:

netdom query fsmo

Schema master            dc1.mydomain.com

Domain name master   dc2.mydomain.com

PDC                              dc2.mydomain.com

RID pool manager        dc2.mydomain.com

Infrastructure master   dc2.mydomain.com

So when I'm trying to change Active Directory Domain Controller in Active Directory Schema snap-in I receive message:

"Active Directory Schema snap-in is not connected to the schema operations master. You will not be able to perform any changes. Schema modifications can only be made on the schema FSMO folder."

So I thought the problem is in Operations Master:

"The schema master manages modifications to the schema. Only one server in the enterprise performs this role.

Current schema master (online): dc1.mydomain.com

To transfer the schema master role to the targeted schema FSMO holder below, click Change: dc2.mydomain.com"

When I pressed Change button I recieve error:

"the current fsmo holder cannot be contacted". What is a problem with my new FSMO holder, how do you think? What exactly shoul I check? Thank you for support.

Windows Server 2012 Connect with Client Windows 7 Pro.

$
0
0

Hello to all,

Im having  problems when I connect with Win2012,

1. Win7 always connect with Public Network Profile, I tried many times reset Network Adapter at both side (Server and Client). but no use, Win7 always shows Unidentified network. (For you information at the same time I also connect with internet Wireless Adapter (Home Network)

2. Can't access Windows 2012 public folder Error: Network path not found.

Impact of resetting the password of the krbtgt account?

$
0
0

Hi,

Currently a lot of effort and interest goes into the golden ticket scenario that mimikatz and metasploit are able to do using the krbtgt account.

I know you would have to own a DC or get a NDTS dump to get the hash of the krbtgt account, but for the sake of this question let's assume we want to change the krbtgt password because a domain admin left the company, and could potentially have taken the DB with him.

In a number of scenarios, part of the restore procedure or resolution to an issue is to reset the password of the krbtgt account (for example:http://technet.microsoft.com/en-us/library/cc733991(WS.10).aspx)

As part of a forest recovery procedure you have to change the password of the krbtgt account twice to make sure replication no longer occurs. Wouldn't this mean that existing replication breaks as well when you change the password, as the steer is in a lot of blogs, recommendations or technet articles?

In short, I'm wondering what would break when you change the password of the krbtgt account, and if anything does, for how long and will it automatically repair? It wouldn't be nice to have to tell a customer to do a forest recovery because they followed steer from security companies telling them to change their krbtgt password.

Thanks in advance for your responses!

Centralized multiple file servers into a single location

$
0
0
Hi Experts,

I have a client that is looking a  solution that allow the centralization of file servers. This company has a headquarter in the US and multiple satellite offices around Latin America, where is branch or satellite office, has its own Windows File server.

I've been thinking on DFS, but I need to know, if you can provide me with high level steps to integrate multiple file server into a centralized file server solution. 

What type of DFS infrastructure deployment do you recommend?

Any DFS free planning tool available to download?

Any blogs, links, that shows step-by-step how to architect, design and deploy DFS to centralize Windows File servers and shares?

Your feedback is really appreciated

Franki

Remove a domain controller

$
0
0
I have SBS 2008 with a Windows Server 2008 SP2 server as a second domain controller.  I've added a new 2012 server and made it a domain controller.  I need to demote the 2008 box.  If I run dcpromo, it doesn't detect that it is a domain controller and just wants to create a new one.  I notice that the AD DS service is not running, it is disabled.  When I try to start it, it just stops.  dsquery server shows all three as domain controllers.  What is the best way to remove this DC?

Sysprep.exe with or without "Generalized"?

$
0
0

Can anyone tell me what the difference between sysprep.exe with or without "Generalized" Option?

Another question is, is it possible to join a computer to domain contorller if they have the same SID (I clone them from a single image)?

Thank all beforehand for answering my questions :)


I want to restrict my domain users that they can not use RSAT

$
0
0

Hi

I want to restrict my domain users that they can not use RSAT and see and brows or query  my Domain information and group policy object in my domain from DC with RSAT installed on their client computer,

I want to give permission to some help desk to see my DC information and block it for other network domain users,

how could I do this?

Regards

Kerberos WeConstrained Delegation

$
0
0

Need some help setting up constraint delegation on web servers.

Here is our scenario:

1.One Web Server in DMZ which will be a front end servers, this has some kinda redirect to a back-end web server

2.Backend Web Server, which has the actual web pages

Need to set this up in such a way that, there is only one time authentication by the user and the frontend web server does some kind of proxying of credentials to the backend server.

Kindly assist.


ADFS Sending UPN Claim

$
0
0

In the past, when sending UPN to a Relying Party, I have always used a Send LDAP Attribute Rule for the Relying Party.

I have just read a couple of guides for stepping by trust with Dynamic CRM.  They suggest first creating a pass through rule for Active Directory Claim Provider for UPN; and then a pass through rule for the Relying Party.

I assume both result in the same claim being sent to the Relying Party.  Are there pros and cons between the two methods?

IDMU in Server 2008 Suddenly unresponsive

$
0
0

We are running Identity Management Services for UNIX on Windows Server 2008 SP2 with one Windows Master and one Windows subordinate.  After working for over two years, our NIS domain is suddenly unable to authenticate users on any of our Linux/UNIX boxes.  Restarting services did not help.  Looking at Event Viewer or c:\Windows\idmu\logs yielded no information. 

I did not setup our NIS configuration and in fact my knowledge of NIS is rather slim.  What I do know is that the IDMU configuration had not been touched for many months up until this point.  I did try at one point to get NFS file sharing on a separate 2008 R2 server to authenticate using the NIS domain hosted on these boxes.  That also was several weeks prior to this breakdown. 

Here are the only potential problem indicators I can see:

1)  Use of the ypcat commands sometimes displays the appropriate information and sometimes returns the error "NIS Service is not running on the host '<servername>' in domain '<domainname>' - it's as though the Server for NIS is constantly starting and stopping, but no such activity is recorded in Event Viewer, no entries for Server for NIS starting and stopping are recorded unless I manually turn it off and on.

1a)  Likewise, Linux and UNIX servers that run the ypwhich will attempt to contact the appropriate server and will sometimes get a response back and sometimes will not get a response.  (I think that's the command - again, my knowledge of NIS and these commands is minimal)

2)  In ADSI editor I duplicate container entries for defaultMigrationContainer30 and ypserv30 that have the objectGUID tacked onto the container name like so:

CN=defaultMigrationContainer30CNF:2bedf883-f6b4-4650-a2fa-cddf7d03dcdc

CN=ypServ30CNF:be1e659e-9fbc-4daf-9d98-c0e63a8ad4d4

Having said all that, my first question is obvious:  Can anyone shed some light as to what might have happened?  Secondly, are those duplicate containers safe to flat-out delete through ADSI edit?

AD 2008R2 cant connect with a host to the domain

$
0
0

Hello,

I have an AD server 2008R2 and everything looks like working fine.

but, for some reason I cant connect with a host with win7 to the domain.

I recieve the following error:

"An Active Directory Domain Controller (AD DC) for the domain <domain_name> could not be contacted..."

what is wrong?

I did all the configuration and Im able to connect to other AD servers, but not to this one!

please help :)

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>