Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

PDC could not replicate with BDC and parrent domain controller

October 31, 2014, 9:19 pm
$
0
0

Hi,

We have a Parrent Domain Controller which scheduled to replicate with my Child Domain Controller hourly. The replication suddently got some issue and when I try to replicate them manually, I have this error message.

"The following error occured during the attempt to synchronize naming contex "child.domain.com(which is not the current child domain)" from Domain Controller 'Parrent PDC" to Domain Controller "Child PDC":

Replication Access was denied.

This operation will not continue."

Later I realised my child PDC also have issue to replicate with my child BDC error message as below.

"The following error occured during the attempt to synchronize naming context "parrent.domain.com" from Domain Controller "child BDC" to Domain Controller "child PDC":

The target pricipal name is incorrect.

This operation will not continue.

So I tried to replicate from my child BDC to child PDC and I'm having this error

"The following error occurred during the attempt to snychronize naming context "parrent.domain.com" from Domain Controller "child PDC to Domain Controller "child BDC":

Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute set. The destination partial attribute set is not a subset of source partial attribute set.

The operation will not continue."

sorry for my poor explaination, could anyone help me on this

Search

Directory Share Permissions Question

October 31, 2014, 1:14 pm
$
0
0

Hello, Using MS server 2008 R2

On the server we have a "D:" drive with several NTFS shared directories that were setup by another team.

when I look at the share permissions, I see some that are Read/Write, and I see one called 'Contribute'.

what is the 'Contribute' permission?

Why would this be used instead of just Read/Write?

Thanks

MisterT99

Domain Controller behind firewall

November 1, 2014, 5:43 am
$
0
0

Hi

We are planning to move the existing Domain Controllers behind the Firewall for better security purpose.

What are the advantage and disadvantage for moving domain controllers into firewall.

Port requirements in firewall for the workstations access Domain Controllers for authentication and authorization.

Port requirements in firewall for establishing Domain Controller to Domain Controller communication.

Thanks in advance,

Balu

Remote GPUPDATE from Windows 2012 R2

November 1, 2014, 4:09 am
$
0
0

Team,

 

  Anyone tested the below command for remotely gpupdate from Windows 2012 R2. That is not working In my case. 

Invoke-GPUpdate -Computer JBL-FPS003 -force

...

Also remote GPUPDATE UI from gpmc is not working.
Anyone tested? All are showing great but policy is not updating. When I ran the RSOP.MSC. UPDATE setting is missing but after running the gpupdate /force locally that is working.

Regards,

Biswajit

MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011

Blog:  Script Gallary: LinkedIn:  

Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..




ADFS3.0 and Web Application Proxy publication

November 1, 2014, 10:26 am
$
0
0

Hi,

I am trying to use Web Application Proxy to publish a site with /adfs/ls/ in its URL but it seems to fail miserably with a 404 error.

The first step was to setup 3 ADFS3.0 servers (let's call them A, B and C), B and C are added as "claims provider" on A and one application added as "relying party" on A. When accessing the application, it goes to A to ask for which site I want to authenticate to and then redirect to either B or C according to the email address I entered. so everything it

Next step, I'd like to put everything behind a reverse proxy. So I installed another Win2012R2 server (let's call it P) and installed WAP role. On first start, I configured it with the wizard to proxify A. Then I'd like to publish B so I add a publication rule with https://B/ as both internal and external URL. From P in can reach https://B/adfs/ls/idpinitiatedsignon, from any other computer I can't reach https://B/adfs/ls/idpinitiatedsignon, it returns a default 404 error. The request goes to the proxy  but is not redirected to B as I expected.

I then added a publish rule for https://github.com (and upgraded the host file of my test computer). Reaching https://github.com/adfs/ls/idpinitiatedsignon from P, I get the GitHub 404 page and from any other computer I get the same default 404 error page (like the B test). Again, the request goes to the proxy but never makes it to GitHub). Moreover, if I try to reach https://github.com/adfs/xxlsxx/idpinitiatedsignon I get the GitHub 404 page.

To me it looks like WAP is looking for "/adfs/ls/" in any request and tries to answer without taking into account the publish rules. Am I right ? Is there any thing I can do to change that behaviour ?

I tried to change the URL ACL rules (with the netsh http command) but without luck so far.

Thank you in advance



2012R2 Web application proxy ADFS error - event 383 - corrupted config file

October 23, 2014, 2:46 pm
$
0
0

I have a 2012R2 server running Web Application Proxy.  Recently, it looks like the ADFS and AppProxysvc started failing.  In the ADFS Admin log, I've got a bunch of this event: 

-----------------------------------

Log Name:      AD FS/Admin
Source:        AD FS
Date:          10/23/2014 3:57:58 PM
Event ID:      383
Task Category: None
Level:         Error
Keywords:      AD FS
User:          SYSTEM
Computer:      SERVER.DOMAIN.COM
Description:
The Web request failed because the web.config file is malformed. 

User Action: 
Fix the malformed data in the web.config file. 

Exception details: 
Root element is missing. (C:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config)
Root element is missing.

------------------------------------

Looking at the referenced config file, it appears to be blank.  I assume the file was corrupted at some point.  What's the best way to re-create this file and it's contents?

Windows Server 2008R2 DC

November 1, 2014, 1:20 pm
$
0
0

My applications run on Windows server 20008R2.  We have two 2008R2 domain controllers in Country A on same network.

 

My application needs to be installed with a specific domain users & can run only run with those users. I cannot disjoin domain else I have to reinstall my applications.

 

Some of the servers which are part of domain at country A  are being sent to Country B but without domain controllers.  Majority servers will keep running in country A with theses two DC.

 

If I setup a new DC in country B with same domain name & create groups & users (keeping same names & PW); my applications are not going to work because SID will be all different.

 

So I am being told that I will be given image of DC from country A & I then restore on a new HW machine & I have been told that this will work.

 

The computers from country B will need to go to country C  after my application configuration is done on servers along with my DC.

 

The computers & DC from country A will also come to country C after 6 to 9  months along with their two DC &  my servers will need to join the original DC of country A.

 

Question: 1

 

Is above concept going  to work in Country B & then in Country C again? What are the loop holes?

 

Question:2

 

I was thinking that the better option would be as per below.

 

As there are two DC in county A, they  should first identify which is a Master DC & then shut down that DC. They should send this DC to me to country B along with application servers. Once main DC is shut down, the second DC will become Master for country A.

 

As I get original DC & servers together, all will be ok for me at country  B for my application configuration to continue.

 

Country B system will then go to site in country C first & will be up and running. The DC from country A with balance servers will then come to site in country C & will  then become secondary DC.

 

Request for your advice.  If option 2 is better, can you please technically support it with arguments?



Is there any better & assured option to avoid reinstallation of applications?

PS: Network between Country A, & B is not going to connected fro any replication. There will be independent application configuration work going on in parallel.

 

Group Policy Infrastructure Failed : The target name is incorrect

September 9, 2014, 12:34 am
$
0
0

Hi,

I am currently facing issues regarding Group Policy, users are unable to change the password.

When i run gpupdate /force on servers, the user policy and computer policy are successful but when i run the same on any client i receive error as per below,

C:\Windows\system32>gpupdate /force

Updating Policy...

User policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\mydomain.com\SysVol\mydomain.com\Poli
cies\{5C07D38D-C488-4E32-9871-AA99DAB86898}\gpt.ini from a domain controller and was not successful. Grou
p Policy settings may not be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to th
e current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to a
ccess information about Group Policy results."

Below is the result of GPRESULT /H GPReport.html.

Component Status
Component NameStatusLast Process Time
Group Policy InfrastructureFailed9/8/2014 1:56:58 PM
Group Policy Infrastructure failed due to the error listed below.

Logon Failure: The target account name is incorrect. 

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 9/8/2014 1:56:48 PM and 9/8/2014 1:56:58 PM.

Any idea on how to solve this problem ? thanks.


Search

subnet prioritizing different subnet DC / client

October 30, 2014, 11:48 pm
$
0
0

Hi all,<o:p></o:p>

We have two sites (production and DR) and in production environment domain controller are in 132.147.161.0/16 series. DR site have a different subnet. Client segment in 192.168.11.0/22 series.<o:p></o:p>

From client system we have tried to ping domain or try to lookup for dc the results are appearing on round robin method. <o:p></o:p>

We recently aware of subnet prioritizing. But from some web forms we found subnet prioritizing is works only same subnet.  Please confirm it’s is true<o:p></o:p>

Please suggest in our scenario how possible for subnet prioritizing<o:p></o:p>

Thanks, Mariappan Shanmugavel

DC RODC Replication

October 27, 2014, 12:56 pm
$
0
0

I have several RODCs on my side of a VPN Tunnel.  I have 4 RWDCs on my side of the IPSEC tunnel, 2 RWDCs that are on the other side of IPSEC VPN tunnel.  The DC's on the other side of the tunnel are used for authenticating users to a sql webapp.

I am wondering 

1. Should I put my RODC's in the tunnel for replications from the RWDC's?

2. If not then how do I remove the 2 RWDCs from trying to replicate to my RODC's.

Jason

How to use AD Web Services

October 28, 2014, 6:44 am
$
0
0

Hello,

we would like to start using ADWS. is there any WSDL page where to found information regarding ADWS?

Thank you

Site Links - Active Directory Sites and Services

October 29, 2014, 9:07 am
$
0
0

We currently have 4 physical sites within our organisation. These sites are Heathrow, Norwich, Wales and Ipswitch. At the moment the site links which are configured are in a mess. There are five site links. One is a duplication, this is Heathrow - Ipswitch seems to be listed twice with a cost of 100 and interval of 15min (with only these two sites in it) Site link is just called a different name. Third site link link which contains Heathrow, Norwich and Wales. Fourth with just Wales by itself. Fifth with Heathrow and Norwich. 

Sites Norwich, Wales and Heathrow are all on MPLS, Ipswitch is connected via VPN tunnel to Heathrow.

I want to simplify the site links. Would a good design be to have Norwich, Wales and Heathrow all in one Site Link and then a separate site link for Ipswitch and Heathrow, or could someone advise best practice on this? Bridge all site links is ticked and site links are all currently IP site links.


What note when remove an Domain controller from Existing Domain!!!

October 30, 2014, 9:40 am
$
0
0

Dear everybody,

My company has 3 Domain controllers at the moment.

all of them have some functions: DHCP, DNS.

Now, we have plan to remove an DC/

So, What note we need to pay attention when remove one of them?

Thanks for your help!!!

Private cloud

November 2, 2014, 9:42 am
$
0
0

We are designing private cloud for customer. (This is not 0365 cloud) It will be a hosted private cloud and will have multiple tenants because of some business requirement.

1. What all options are available to extend existing AD in private cloud ? One option that we can see is to deploy Additional DC in cloud. OR can se use DirSync for this.. is DirSync+ADFS supported for this kind of scenario?

2. How do we create federation between these multiple tenants?


Please share a link which specifically answers these scenarios.

Nick naming / aliasing domain name to avoid renaming

October 30, 2014, 7:57 pm
$
0
0

Hi,

Is it possible to setup a nickname, alias or something so that if an end user prompted for credentials in a system including domain, they can enter newname\username and this actually gets translated to the actual real domain name, oldname\username

UPN suffixes wont cut it, the default format is of course olddomain\username in most systems and I want to be able to enter "newname" in the domain when for example configuring an iPhone for Exchange emails.

Thanks.

Search

DomainDnsZones & ForestDnsZones missing

November 2, 2014, 9:42 pm
$
0
0

Hello, Please excuse the lack of knowledge - have been thrown into the deep end on this one.,.

I am setting up a very simple environment with 1 server as DC with ADDS & DNS, 1 File & Print, 1 app server. All running windows 2012 R2 built from scratch.

Going through the steps to install AD DS & DNS and noticed that no DomainDnsZones or ForestDnsZones were not created when adding the AD DS role. 

I am trying to figure what would cause that as I suspect I will need it when adding my other servers to the AD Domain.

Any pointer would be appreciated.

K



Application Error 1000

October 21, 2014, 2:53 am
$
0
0

Good Day

My domain controller(Windows Server 2003 x64 bit) keeps restarting itself when the following error occurs:-

Event Type:        Error

Event Source:    Application Error

Event Category:               (100)

Event ID:             1000

Date:                    2014/10/17

Time:                    08:51:32 AM

User:                    N/A

Description:

Faulting application lsass.exe, version 5.2.3790.1830, faulting module esent.dll, version 5.2.3790.3959, fault address 0x0000000000141606.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 41 70 70 6c 69 63 61 74   Applicat

0008: 69 6f 6e 20 46 61 69 6c   ion Fail

0010: 75 72 65 20 20 6c 73 61   ure  lsa

0018: 73 73 2e 65 78 65 20 35   ss.exe 5

0020: 2e 32 2e 33 37 39 30 2e   .2.3790.

0028: 31 38 33 30 20 69 6e 20   1830 in

0030: 65 73 65 6e 74 2e 64 6c   esent.dl

0038: 6c 20 35 2e 32 2e 33 37   l 5.2.37

0040: 39 30 2e 33 39 35 39 20   90.3959

0048: 61 74 20 6f 66 66 73 65   at offse

0050: 74 20 30 30 30 30 30 30   t 000000

0058: 30 30 30 30 31 34 31 36   00001416

0060: 30 36                    06     

Does anyone have the solution to the error message?

AD Authentication Too Slow With Required Ports Open

November 2, 2014, 11:27 pm
$
0
0

Hi,

I have a server (2008 R2) in DMZ network and the domain controller (also 2008 R2) is sitting in the internal network. There is no domain or domain controller in DMZ network, only one domain in internal network. The server in DMZ is a domain member. I opened all the necessary ports through firewall mentioned in below article:

http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

When I use domain credentials to log on to the server in DMZ, it successfully logs in but takes about 5 mins for the log in process to complete! As a test, I opened ANY (all ports) and then log in takes only a few seconds (normal time).

Can someone tell me whats the reason? Is the above mentioned article missing ports that should also be opened?

Thanks




Domain User GPO exempt not working

November 3, 2014, 1:04 am
$
0
0

Hi,

I have setup a restrict removeable drive policy domain wide, but i need a few specific users to be exempted from it,

so i added the Users in the Delegation Tab and set permissions as "Read Deny" and "Group Policy Apply Deny"

however it doesnt seem to be applying to the Users,

i have followed the blog entry on http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ but to no avail.!

I have also checked if any of my other policies are over riding it.

** my GPOs are not enforced

rgds

Just a lowly techie..

One of the DC can't connect to AD for Windows server 2003

November 3, 2014, 12:12 am
$
0
0

Dear Sir,

We have 2 Domain Controllers in our Domain, DC1 and DC3, which is running on Windows Server 2003 SP2, I found the DC3 failed to connect to AD, and I found the following error message logged in the system event many time

Source: MRxSmb
Type : Error

主瀏覽器從電腦 DC1 收到 認為它是傳輸 NetBT_Tcpip_{C1D9AA59-2423-4059-A773 網域主瀏覽器的伺服器宣告。 主瀏覽器已中止或已強制選擇。

Source: KDC
Type: warning
找不到事件識別碼 20 (在來源 KDC 中) 的描述。本機電腦可能沒有所需的登錄資訊或訊息 DLL 檔案,因此無法顯示發自遠端電腦的訊息。您可以使用 /AUXSOURCE= flag 來重新抓取這個描述。請參閱 [說明及支援] 來了解詳細資料。以下資訊為事件的一部份: 事件日誌檔已損毀。

Source: Kerberos
Type: Error
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/dc1.domain.com.  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (Domain name), and the client realm.   Please contact your system administrator.

I have searched on internet, and tried some of the suggestions but still can't fixed the issue, I also can't depromo the DC3, and can't use remote desktop connection connect to DC3

What can I do now, can I just reinstall the DC3 and process the dcpromo again?



Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>