Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Error 1083 Daily for different users

August 13, 2014, 7:35 am
$
0
0

Been getting warnings quite often after migrating a hostname & IP from an old domain controller to a new Server 2012 R2 DC. I've checked the metadata, replication and DNS. Everything is perfect, but these warnings are annoying me.

Here is the error:

  

Active Directory Domain Services could not update the following object with changes received from the directory service at the following network address because Active Directory Domain Services was busy processing information. 

Object:
CN=<username>,OU=xxxx,OU=xxxx,DC=Rxxxxxxxxx,DC=net 
Network address:
5e60bbe7-d0b5-47aa-b4b6-13f2037f7ac8._msdcs.xxxxxxxxxx.net 

This operation will be tried again later.

It's referencing a user CN seemingly at random, and the Network Address its referencing is the MSDCS CNAME record of a valid domain controller that is verified to replicating to the DC that is showing these warnings.

Any ideas???




Search

503 error on Federation Services 3.0

August 17, 2014, 10:03 pm
$
0
0

Hi,

I seem to be able to find lot's of similar results for adfs 2.0 but most tell me that it's to do with the iis app pool identity which no longer exists in adfs 3.0.  

First of all I have for the first time setup adfs in our organisation.  It is working for the most part, at least I can download the metadata xml file and so forth.  However when I browse to http://sso.ourdomain.com/adfs/services/trust I get a 503 unavailable error.  According to my 3rd party claim provider this should work but I seem unable to get anythinge internally or externally.  Any ideas?  

Thanks

Warwick

Change last name

August 13, 2014, 7:29 pm
$
0
0

I recently changed a users last name in ADUC by right clicking the user and clicking rename then proceeded to go into ADSIedit and change users proxy SMTP address to reflect and with our rich coexistence on our dirsync server ran or pushed a online sync to Office 365. User was able to login with new username and use email successfully.

My Issue is that now with one of our proprietary web based applications that ties into AD meaning user has to be logged in with there domain account in order to log in so the website is ad integrated. User logs in with new username but page will display this error username in this case i'll say jdoe does not match Windows Login jsmith.

Thoughts please? 

2012R2 DC - AD LDS Service Principal Names - Duplicates

August 14, 2014, 4:57 am
$
0
0

Hello

After installing the first domain controller with 2012R2, we see the following error in the directory service log on the new 2102R2 domain controller:

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL Winerror: 8647 
 See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.

it seems to be related to the SPN for: AD LDS

http://technet.microsoft.com/pt-br/subscriptions/cc816802

http://technet.microsoft.com/en-us/library/dn535779.aspx

The error only occure for member servers where AD LDS are installed. (application dependency)

replication status is ok.

Any ideas on how this error should be handled/corrected?

Erlend



Forest Configuration Operators

August 14, 2014, 12:22 pm
$
0
0
I'm commissioning a new Windows Server 2012 R2 AD DS forest for a customer and have implemented the ten recommended service management roles as per the Best Practice for Delegating Active Directory Administration. The first test of the delegation model was to create a new child domain with a privileged account that's a member of the Forest Configuration Operators Role group. Unfortunately the test failed because the promotion process appears to check to see if the account is a member of the Enterprise Admins security group, which of course it's not. Can I create a child domain with an account that's a member of the Forest Config Ops administrative role or shall I bin this role off and just use EAs?

Cheers,

Tom Houston, UK Identity Management Practice

Active Directory account password expiry email notification

August 7, 2014, 1:55 am
$
0
0

Dear team,

Greeting for the day... I have some queries about Microsoft server 2008 active directory.. In our environment few users are using exchange account in different domain, but system login is different domain. So user is facing password expiry issue every time, As per my AD configuration, the AD user password will expire every 60 days. So these users are not getting the notification before expired the password.

Kindly let me know is there any way to configure email notification for users before expire the password, like before 14 days. I got some script from Microsoft site which is suitable for Exchange 2010 server, but we are using Microsoft Exchange 2013 SP1( Exchange server Operating System - Windows server 2012) and windows 2008 R2 for AD.

Kindly share with me is there any script suitable for our environment.

Thank you very much in advance.

Thanks & Regards,

Libish A

Mobile No : +91 8197974656

Windows domain controller in a virtual machine: how dangerous is saving its state for a short period of time?

August 17, 2014, 11:17 pm
$
0
0

I have a Windows Server 2012 R2 virtualization cluster. All the hosts are connected to an external storage system, and virtual machines' files are stored on external volumes (CSVs). All the hosts and virtual machines are a part of the same AD domain (mixed Windows Server 2012 RTM / 2008 R2 domain controllers). All the domain controllers are running in the virtual machines on the hosts of this cluster.

To prevent problems when all the hosts are turned off and then on simultaneously (for example, because of a power failure) all the domain controller VM files has been placed on local disks of the virtualization hosts (not on the Cluster Shared Volumes). As Hyper-V services don't depend on other Windows Server services (except its networking components), it means that my domain controllers can always start, providing the virtualization host can start at all. However, it also means that those DCs cannot be (quickly) migrated to other hosts while their current hosts are being rebooted. So if I need to reboot a virtualization host to install new updates, for example, I have to shut down the corresponding DC, reboot the host and wait for the DC to finish cold boot and come back online. It means some interruption of service for our users, which, in turn, requires me to perform the reboots late in night.

 

The downtime can be significantly decreased by saving the state of the VM in which the DC is running. However, all the articles I've found on the Internet strongly recommend against it. I'm trying to understand why this recommendation was issued in the first place. However, I'm unable to find a clear explanation. I've found some statements that saving state of a DC can cause serious AD replication problems because of tombstoning, and that the password of a DC computer account may be changed while the DC itself stays in the saved state, which could prevent the DC from connecting to the domain after its state has been restored. However, those considerations are non-significant when we discuss a short-time (5 to 10 minutes) saved state.

 

I work with AD and virtualization long time, and I fail to see any danger in saving state of a DC for several minutes. In my opinion, after its state has been restored it would simply replicate all the AD changes from other DCs, and that's all.

What's your opinion?

Evgeniy Lotosh
MSCE: Server infractructire, MCSE: Messaging

Windows 7 machines lose Trust relationship frequesntly

August 14, 2014, 8:32 am
$
0
0

I have a random bunch of computers that are Windows 7 part of my domain that are randomly losing their trust relationship on a random basis.  I currently have a Windows 2008 Primary DC with a 2K8 R2 Secondary DC providing to 287 computers.  Right now we are migrating away from Windows XP so I would have to say that the ratio of XP machines is 60%.  It just started recently where the Windows 7 computers will randomly lose their security trust with the domain.  There's no rhyme or reason to it.  It will happen to a computer we installed with less than a week, and hit another computer that was installed almost 2 years ago.  I've seen quite a few other people having issues with W7 machines acting the same way and I know the "fix" is to dis-join it from the domain and rejoin it but its not a permanent solution.  All these machines are spanning multiple cities and all our Admins are based in Dallas.  we'll have computers in Ft Worth, Houston, Anna, and Longview texas all randomly behave this way and all are windows 7 pro SP1 machines from different manufacturers.   all the DNS records are up to date.  There are no AD replication error, in fact there are no errors at all on my DCs. No changes have been made to any GPOs or AD.  Any assistance is appreciated as this is bizaare since our domain has been working without a hitch for the past 3-4 years no issues.  

Thank You,

David

Search

Migrate Domain controller from Windows Server 2003 to Windows Server 2008 R2

July 21, 2014, 11:19 pm
$
0
0

Hello,

We have typical requirement, wondering if Microsoft can advice on.

Our Domain controller is configured on Windows Server 2003 Cluster, in other hand we have machine on Windows server 2008 R2.

Requirement:

1. Can we configure domain controller on Windows 2008 R2, with both DC's(DC on WS2003 and WS2008 R2) always in sync.  Note: Both DC should point to same domain

2. If point#1 is possible, can i switch my DC to windows server 2008 R2 by decommission of WS2003.

Basically, its like, I have primary DC and secondary DC. When primary gets down secondary should function as primary without fail. Only difference, primary is on WS 2003 and secondary is on WS 2008 R2.

Please advice on possibility along with steps to build secondary, switch primary to secondary.

Thanks in advance.

Regards,

--Phanish

prevent default domain password policy being created with complexity enabled

August 18, 2014, 3:42 am
$
0
0

hi friends

i want to install ADDS (active directory) on a system (OS =2008 R2)

via secpol.msc i have disabled all password complexity requirements & also minimum password length & password history &...

now is there any method to run dcpromo in a special way so that after domain is installed, default domain policy remain with the same settings the same (not complex)

( i don't want to reconfigure all of them each time after ADDS is installed. i need a way to prevent that. any switch with dcpromo? what about powershell? )

thanks in advance

Removing Active Directory Domain Services from Server 2012 Standard

August 17, 2014, 10:43 am
$
0
0

Hi Guys.

i have two Server 2012 Standard Servers DC1 and DC2, i have promoted and installed ADDS on both servers, moved all FSMO roles to DC2, now i want to remove ADDS from DC1 i get DNS "Remove this DNS Zone (This is the last DNS server that hosts the Zone)" but i have DNS role installed on DC2.

Please assist

Regards

NicWaks

creating a design picture

August 17, 2014, 5:18 am
$
0
0

Guys,

For a technical documentation about AD, i need to create a visio. I need to create a central ou and a local group ou, global groups, workstation with desktop and notebook ou's and a user ou for each department.

Can someone give me an example about how the picture should look? I was thinking about something like this:

Many thanks for a reply


Broken trust after restoring domain controller?

August 18, 2014, 3:48 am
$
0
0
Hi,

We had to do a complete restore of one of our domain controllers. This server was not the primary domain controller.

After the restore I am unable to communicate with the server. If I log in from a domain computer I get an error saying "An authentication error has occured. The specified network password is not correct. Remote computer: COMPANY-DC2".

If I log in using the ip address instead of server name from a computer outside the domain I am able to log in. Once I am logged in I am able to reach network shares on the primary domain controller.

From the primary domain controller I am unable to reach the restored domain controller using the fqdn. When using the IP address I can access the network shares.

If I log in to the primary domain controller and open "Active directory users and computers", right click on the very top item (Active Directory Users and Computers [COMPANY-DC1]) and select "Change domain controller" I am presented with a list of my domain controllers. All the servers are listed as "Online", but if I try to select "COMPANY-DC2" I get an error saying "The following comain controller could not be contacted. A local error has occured".

I think the trust relationship between the restored domain controller and the primary domain controller has broken. 

Any tips on how to resolve this is greatly appreciated :)

The servers are running Windows Server 2012 R2.

What is user group

August 15, 2014, 10:22 am

Kerberos WeConstrained Delegation

August 7, 2014, 10:27 pm
$
0
0

Need some help setting up constraint delegation on web servers.

Here is our scenario:

1.One Web Server in DMZ which will be a front end servers, this has some kinda redirect to a back-end web server

2.Backend Web Server, which has the actual web pages

Need to set this up in such a way that, there is only one time authentication by the user and the frontend web server does some kind of proxying of credentials to the backend server.

Kindly assist.


Search

adamsync: Operations error

August 18, 2014, 11:29 am
$
0
0

Good afternoon!

I'm pretty new at LDAP and directory services, so this might be a dumb question.  I'm trying to replicate our AD to another server so an application can connect to it.  I've set up an instance of ADAM called AD-Replication-2.  I ran the tool to handle differences in the schemas.  I think that was successful.  I'm at the point now where I'm trying to install my XML config file and I'm getting this error:

Ldap error occured. ldap_get_next_page_s: Operations ErrorExtended Info: 000020D6: SvcErr: DSID-0310007DB, problem 5012 (DIR_ERROR), data 0

Here are the relevant lines from my XML file:

<source-ad-name>co.frederick.va.us</source-ad-name>		<source-ad-partition>dc=co,dc=frederick,dc=va,dc=us</source-ad-partition><source-ad-account>administrator</source-ad-account>                <account-domain></account-domain><target-dn>CN=AD-Replication-2</target-dn>		<query>			<base-dn>dc=co,dc=frederick,dc=va,dc=us</base-dn>

I really don't have any idea where to go from here with this error, so *any* help is appreciated.  Thanks in advance!

Jeremy

DSQuery Question

August 4, 2014, 10:19 am
$
0
0

I am trying to get a list of all users of a group by first name and last name (and all subgroups if possible)

When I type in the following I get the inline error about formatting.

C:\Windows>dsquery group -name [MyGroupNameHere] | dsget group -members -expand | dsg
et user -fn -ln
dsget failed:Value for 'Target object for this command' has incorrect format.
type dsget /? for help.
C:\Windows>

I have figured out that I am getting the error because the dsget user command is seeing the nested groups and trying to treat them as users and having problems in doing so.  Is there a way to filter out the groups and only look for users?  The command is nearly worthless if you can only run it on groups that have no nested groups within.

Lastly I would like to be able to 'in one command' pull the first name and last name of all users in the group including any nested groups.  Is this possible if I filter the groups out so I can run the command to get the first name and last name of the users listed?

You can see where below this command works on a group without nested users:


C:\Windows>dsquery group -name [MyGroupName] | dsget group -members -expand | dsge
t user -fn -ln
  fn       ln
  Betty    Xxxxxxxx
  Lori     Xxxxxxx
dsget succeeded

C:\Windows>

Thanks for any help.

Migrate sysvol replication from frs to dfs

August 16, 2014, 5:00 am
$
0
0

Hi, an hour ago I started migration of sysvol replication from frs to dfs. I have five domain controllers and f/d functional lever Windows Server 2008 R2. I have done "upgrade" of domain from Windows Server 2003 to Windows Server 2008 R2 three years ago so sysvol replication is still via frs.

I have done the following:

dfsrmig /setglobalstate 1

dfsrmig /getglobalstate

dfsrmig /getmigrationstate

After more that one hour only three of five domain controllers are in prepared state.

SLT62800SVAD ('Start') - Writable DC
DRDC ('Start') - Writable DC

Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.

I have checked both of them and SYSVOL_DFSR folder is not created. Also in DFS manager tool I saw they were not displayed as members in Domain System Volume replication.

How to solve this, is there any way to force "domain controllers" to be in prepared state thus I can continue migration process? Link between my primary site and site where these two DCs are located is fast so I do not think this has something to do with network problems. Plus today is day off so link is practically more or less idle sort of speak.



DNS 4015 error - DCs replication in different sites with IPv4 VPN

August 13, 2014, 2:29 pm
$
0
0

Hello


I have 2 DCs in different sites in Internet. They are connected by VPN routers (which are IPv4 only). The IPv4 connectivity is working, however,  I believe that the lack of IPv6 connectivity, errors in DNS are shown (errors id 4015). 
The PDC and other functions of the domain are in DC with Windows 2008 R2 (Site A) and the additional DC is Windows Server 2012 (Site B). The errors happens only in 2012 (several errors during the day). Tests with repadmin is ok.


However, everything is working ok. DCs should be communicate also through the IPv6 protocol? How to do this if the VPN routers is only IPv4?

Thanks!

Ricardo

I upload files in https://onedrive.live.com/redir?resid=2B77424111F5749E!211&authkey=!ALq4iPJoReWcoZk&ithint=folder%2clog

Setting up BitLocker missing delegate control setting

August 13, 2014, 6:12 am
$
0
0
Hi,

I am setting up BitLocker in our AD. I checked the schema using ADSI edit and it looks as if the schema is already extended.

I find:
CN=ms-FVE-KeyPackage
CN=ms-FVE-RecoveryGuid
CN=ms-FVE-RecoveryInformation
CN=ms-FVE-RecoveryPassword
CN=ms-FVE-VolumeGuid
CN=ms-TPM-OwnerInformation


So, now i want to delagate permissions in AD on the workastations OU for the SELF account.

In the delegate wizard i can only find Write msTPM-OwnerInformation.

On the technet page jj592683 ("Prepare your organization for BitLocker:..." "Applies To: Windows 8, Windows 8.1"), it referes to both Write msTPM-OwnerInformation and Write msTPM-TpmInformationForComputer.

However in the delegate wizard i cannot find Write msTPM-TpmInformationForComputer.


What is missing?

This posting is provided "AS IS" with no warranties or guarantees and confers no rights



Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>