Hi all, 

I have recently updated our domain with 2012 domain controllers. The domain is still running at 2003 level, but majority of DC's are now 2012. I have had intermittent issues where users cannot logon again once the screen locks and some servers failing to accept any password until being rebooted. This morning on one site none of my users could logon. I have 2 2012 domain controllers neither of which I could logon to. ( one carries all FSMO roles) This also prevented logon to some but not all servers. 

This was fixed by rebooting the DC's but need to find out why this happened. 

Checking event log I received these errors:

EVENT 4:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server windc02$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/5df22a58-4504-4733-aeed-2fc5ff39e454/domain.local@domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.LOCAL) is different from the client domain (domain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

matt barnes

hi,

I have configured the DNS record creation and deletion auditing as per below microsoft blog

http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx    on one of my DC.

All setting are done correctly and events for DNS creation and deletion is generated in security event logs. BUT THESE EVENTS ARE ONLY GENERATED ON ONE DC. We have 3 other DC, i checked the security events on other 2 DC but there is no event logs. Only one DC has that events.

Is there any way so that whenever DNS record is created / deleted the events SHOULD CREATED ON ALL DCs. This will save time else i have to check on all DCs security events.

Please suggest

Hi Team,

I have few queries mentioned below. Kindly share me your suggestion.

1) how can we make sure that time is getting synchronized properly in AD infrastructure and how to monitor this?

2) Is there anyway to find which attribute got changed recently of object ?

Regards

Sajin P S

I just replaced our DC that also served as one of several DNS servers.  All FSMO roles were transferred to the new DC before demoting.

After doing so, the majority of our remote sites (connected via site-to-site VPN), can no longer access the UNC path of the file server also located in each remote site, and if they can, it is extremely slow.  However, this isn't happening to every remote site.  Affected sites are also unable to access UNC path via IP address, although nslookup/pings resolve normally.  The temporary workaround is to remove all affected systems from the domain.  As soon as those machines are removed from the domain and rebooted, accessibility to these paths returns instantly.

I work in a small IT department in a healthcare facility and one of the issues that we have is trying to effectively manage AD accounts for per diem users.  Up until this point we've been disabling user accounts when we find they aren't being used and reactivating them when their supervisors call requesting we turn them back on.  Does anyone have any best practices or maybe some suggestions on how to effectively manage AD accounts for per diem users?  Some of the users are almost full-time here, while others may only work 1 day a year so it's been difficult for us to implement anything that actually works.

Any suggestions would be greatly appreciated!

I have a Windows 2003 Domain, I added a Server 2012 R2 to the domain. The 2012 R2 server is a hyper-v virtual machine.  When promoting the server to a domain controller it hung on the process and I had to reboot the server.  When I log into the server now with the same account I was using when I promoted the server I get a black screen. When I hit the (ctrl-alt-del) button on the hyper-v console screen I see several option such as task manager but clicking on it doesn't bring up anything.  I can also sign out.  If I log in using another admin account I have no issues.  If I view the application log I see a 4006 Event Id:

The Windows logon process has failed to span a user application.  .... C:\Windows\system32\userinit.exe.

If I boot in safemode I am able to logon with with problem account and see the normal safe mode screen.  Also, BTW the DC promotion process completed without issues.

Thanks,

Greetings,

I have been doing some testing with gMSA Accounts in a Server 2012 R2 environment (two separate environments, actually), and I have noticed something very strange that occurred in both environments, which does not appear to be occurring in one of our customer's self-managed environments.

We created a Group Managed Service Account using the following article: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

Everything went smoothly, and the account installs/tests successfully on both of the hosts that we are testing on. I am able to set my services to run under the account, and most of them appear to work fine. I am having some issues with a few of my services, and I believe that the strange behavior I am seeing may have something to do with this - described below: 

As soon as I set the service's Log On Account (via the Log On Tab under the Service's Properties), the entirety of the "Log On" tab changes to "greyed out," and I am unable to change the Log On account back via the GUI (Screenshot attached).

I found that I am able to successfully change the account via Command Line using sc.exe, but the Log On tab remains greyed out! So far, I have found nothing to remedy this, but confirmed that it happens for any service I set to use the gMSA as the Logon Account, and that it happens in 2 separate test environments, but not in a Customer's production environment - very strange.

All servers in this environment are running Server 2012 R2, and domain Functional Level is currently Server 2012.

I have been unable to find any information online about this behavior, so I am hoping someone has seen this before, and can explain why this is happening.

Nick

I am currently trying to write a script to export the path of certain groups's folder redirection.  We re-created all of these users accounts in a more organized OU structure and would like to wipe the user's redirection path's.  The only problem with this is that some of these groups are still in use and we do not want to delete their paths.  Is there any way to export a csv file or something that lists each user's folder redirection path? Would csvde do it?  We are on Server 2008 R2 if that makes any difference.

I read a couple of other posts here but still have question. So I am looking at setting up SCCM. I see that it is not required but recommended to extend the AD schema. Got that part.

http://technet.microsoft.com/en-us/library/gg712272.aspx
Extending the Active Directory schema is optional for Configuration Manager. However, by extending the schema you can use all Configuration Manager features and functionality with the least amount of administrative overhead. Extending the Active Directory schema is a forest-wide action and can only be done one time per forest.

So I guess my question is in order to be able to use all the config mgr options etc, how do you then handle it if later on down the road, who knows could be two years or not currently planned, when you decide to do something else like install exchange or some other product that requires the schema to be extended? How would you do that when you can only do it once and you already did it for say SCCM???

Not getting that...Thx

Want to put   ns1.any-domain-name.com   &   ns2.any-domain-name.com   on server 2012,, I have an ip address + main domain name ( we will use    any-domain-name.com   for an example )   + 5 other domain names (want to add these afterwards)

I have added dns  and IIS to my server 2012,, I believe I have added correctly my main domain name being     any-domain-name.com 

I am a bit lost where to put the     ns1.any-domain-name.com   &   ns2.any-domain-name.com 

All my domain names at the registrar are set to    ns1.any-domain-name.com   &   ns2.any-domain-name.com      have also glued the record with the ip address to the main domain name   any-domain-name.com 

I have put the 5 domain names on the server and now realise I need the ns1 ns2 zones  which means I might have to delete the 5 domain names

Can someone give me some guidance please

Hi,

We have a environment like below

name of Root Forest domain == Root.com

name of Tree domain in same foresrt (root.com) == treedom.com

The treedom.com has only one domain controller and unfortunately that DC got offline due to hard disk failure. Now the DC of treedom.com is offline and we want to CLEAN the METADATA of tree domain form our root forest domain i.e ROOT.COM.

Please suggest....

Let me know if more information is required .

Hi all,

I have two servers running Server 2012 R2.

There are two AD sites, in site 1, I have the primary ADFS server running on a member server.  In site 2 I have a secondary ADFS server running on the only DC in the site.  There will be WAP servers publishing these servers in either site.

I successfully set up the first ADFS server in site 1, and this is working ok.  However, when I set up the server in site 2 I get the following error during the prerequisite checker:

Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.

Unable to retrieve configuration from the primary server. Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.

I ran this as my domain admin account and also as domain\administrator which is seldom used.

When I run the resulting PowerShell script, I get errors relating to the GSMA, so not sure if that is where my issue lies.  Here is the script:

# Windows PowerShell script for AD FS Deployment
#

Import-Module ADFS

# Get the credential used for performaing installation/configuration of ADFS
$installationCredential = Get-Credential -Message "Enter the credential for the account used to perform the configuration."

Add-AdfsFarmNode `
-CertificateThumbprint:"Thumbprint Here" `
-Credential:$installationCredential `
-GroupServiceAccountIdentifier:"DOMAIN\STSSvc`$" `
-PrimaryComputerName:"machine.domain.net"

I tried using the FQDN of the ADFS server as well as the common name of sts.domain.net, neither worked.

Any suggestions?

Andrew Hodgson

Hello Forum,

after a domain rename, I cannot join a new dc to the domain. I think something went wrong, because I had some olddomain.local entrys left, which I fixed myself with adsiedit. Problem is/was I finally runned /cleanup and /end.

The message I get when I want to join a new 2012r2 dc (to a domain with 2012r2 forest level) is:

Verification of outbound replicaton failed. Error reading the NTDS settings on replication source domain controller dc1.newdomain.lan. Domain Controller data not found for the specified Active Directory domain controller.

dcdiag passed all tests (on the only one dc I have), only two eventlog entrys which I tink are harm.

C:\>dcdiag /v /q
         Fehler. Ereignis-ID: 0xC0FF05DC
            Erstellungszeitpunkt: 11/03/2014   15:39:17
            Ereigniszeichenfolge:
            Beim Zugreifen auf den Registrierungsschlüssel SYSTEM\CurrentControl
Set\Services\SNMP\Parameters\TrapConfiguration ist ein Fehler aufgetreten.
         Fehler. Ereignis-ID: 0x0000106A
            Erstellungszeitpunkt: 11/03/2014   15:39:20
            Ereigniszeichenfolge:
            Die IP-Adresse für die Isatap-Schnittstelle isatap.{57C07FF6-EAC7-49
B0-9EA0-D08D20812B7E} wurde nicht aktualisiert. Updatetyp: 1. Fehlercode: 0x490.

         ......................... Der Test SystemLog für DC1 ist
         fehlgeschlagen.

Sorry - german locale.

I found the follow problem on the computer object in adsiedit: dNSHostName is still the old domain name (which can still be resolved from nslookup to the new dc).

When I try to update it to the new domain I get:

Fehler bei Vorgang. Fehlercode: 0x214d
Beim Verarbeiten der Änderung des DNS-Hostnamens für ein Objekt
konnte die Synconisation des Dienstprinnzipalnamens-Werte (SPN)
nicht aufrechterhalen werden.

0000214D: SvcErr: DSID-033E0FDC, problem 5001 (BUSY), data 87

But all spns are right set (manuelly by me) with setspn:

C:\>setspn -l dc1
Registrierte Dienstprinzipalnamen (SPN) für CN=DC1,OU=Domain Controllers,DC=newdomain,
DC=lan:
        WSMAN/dc1.newdomain.lan
        WSMAN/dc1
        NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/dc1.newdomain.lan
        MSSQLSvc/dc1.newdomain.lan:SUSDB
        GC/dc1.newdomain.lan/newdomain.lan
        HOST/dc1.newdomain.lan/newdomain.lan
        HOST/dc1.newdomain.lan/newdomain
        TERMSRV/dc1.newdomain.lan
        RestrictedKrbHost/dc1.newdomain.lan
        ldap/dc1.newdomain.lan/ForestDnsZones.newdomain.lan
        ldap/dc1.newdomain.lan/DomainDnsZones.newdomain.lan
        ldap/dc1.newdomain.lan/newdomain.lan
        ldap/dc1.newdomain.lan/newdomain
        ldap/dc1.newdomain.lan
        HOST/dc1.newdomain.lan
        DNS/dc1.newdomain.lan
        ldap/dc1.olddomain.lan/newdomain
        HOST/dc1.olddomain.lan/newdomain
        ldap/f6504b59-4d01-4a52-88fb-f57f5899fe49._msdcs.newdomain.lan
        ldap/DC1/newdomain
        HOST/DC1/newdomain
        RPC/f6504b59-4d01-4a52-88fb-f57f5899fe49._msdcs.newdomain.lan
        GC/dc1.olddomain.lan/newdomain.lan
        ldap/dc1.olddomain.lan/ForestDnsZones.newdomain.lan
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/f6504b59-4d01-4a52-88fb-f57f5899fe49/newdomain.lan
        ldap/dc1.olddomain.lan/DomainDnsZones.newdomain.lan
        HOST/dc1.olddomain.lan/newdomain.lan
        ldap/dc1.olddomain.lan/newdomain.lan
        MSSQLSvc/dc1.olddomain.lan:SUSDB
        DNS/dc1.olddomain.lan
        RPC/f6504b59-4d01-4a52-88fb-f57f5899fe49._msdcs.olddomain.lan
        ldap/DC1
        ldap/dc1.olddomain.lan
        NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/dc1.olddomain.lan
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc1.olddomain.lan
        TERMSRV/DC1
        TERMSRV/dc1.olddomain.lan
        WSMAN/dc1.olddomain.lan
        RestrictedKrbHost/DC1
        HOST/DC1
        RestrictedKrbHost/dc1.olddomain.lan
        HOST/dc1.olddomain.lan

Also on Eventlog I get this event:

Protokollname: Directory Service
Quelle:        Microsoft-Windows-ActiveDirectory_DomainService
Datum:         03.11.2014 15:55:10
Ereignis-ID:   1224
Aufgabenkategorie:Interne Verarbeitung
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      ANONYMOUS-ANMELDUNG
Computer:      dc1.newdomain.lan
Beschreibung:
Beim Versuch des lokalen Domänencontrollers, Informationen auf mindestens einem Computerobjekt, Einstellungsobjekt oder Serverobjekt automatisch zu aktualisieren, ist ein Fehler aufgetreten.

Es wird erneut versucht, diesen Vorgang nach dem folgenden Intervall auszuführen.

Intervall (Minuten):
5

Zusätzliche Daten
Fehlerwert:
5 Zugriff verweigert

Interne ID:
32b0954
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" /><EventID Qualifiers="32768">1224</EventID><Version>0</Version><Level>3</Level><Task>9</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime="2014-11-03T14:55:10.570355200Z" /><EventRecordID>766</EventRecordID><Correlation /><Execution ProcessID="572" ThreadID="696" /><Channel>Directory Service</Channel><Computer>dc1.newdomain.lan</Computer><Security UserID="S-1-5-7" /></System><EventData><Data>5</Data><Data>32b0954</Data><Data>5</Data><Data>Zugriff verweigert</Data><Data></Data></EventData></Event>

My Idea was to join a new dc, demote the dc1 and re-join again - but how you see, I can't join a new DC. I rebooted the dc1 new many time in hope it get repaired by it self :)

Any other idea?

Hi,

I am trying to use Web Application Proxy to publish a site with /adfs/ls/ in its URL but it seems to fail miserably with a 404 error.

The first step was to setup 3 ADFS3.0 servers (let's call them A, B and C), B and C are added as "claims provider" on A and one application added as "relying party" on A. When accessing the application, it goes to A to ask for which site I want to authenticate to and then redirect to either B or C according to the email address I entered. so everything it

Next step, I'd like to put everything behind a reverse proxy. So I installed another Win2012R2 server (let's call it P) and installed WAP role. On first start, I configured it with the wizard to proxify A. Then I'd like to publish B so I add a publication rule with https://B/ as both internal and external URL. From P in can reach https://B/adfs/ls/idpinitiatedsignon, from any other computer I can't reach https://B/adfs/ls/idpinitiatedsignon, it returns a default 404 error. The request goes to the proxy  but is not redirected to B as I expected.

I then added a publish rule for https://github.com (and upgraded the host file of my test computer). Reaching https://github.com/adfs/ls/idpinitiatedsignon from P, I get the GitHub 404 page and from any other computer I get the same default 404 error page (like the B test). Again, the request goes to the proxy but never makes it to GitHub). Moreover, if I try to reach https://github.com/adfs/xxlsxx/idpinitiatedsignon I get the GitHub 404 page.

To me it looks like WAP is looking for "/adfs/ls/" in any request and tries to answer without taking into account the publish rules. Am I right ? Is there any thing I can do to change that behaviour ?

I tried to change the URL ACL rules (with the netsh http command) but without luck so far.

Thank you in advance

Hi,

I have user list which need to be change samAccountname attribute. I want to add "0" in front of every samAccountnames in the list. Appreciate your earliest reply.

Thanks.

Hi everyone, we have a situation where we will lose power to the building for 14 hours and since we don't have a generator we'll be shutting down our main site. We have 15 sites, each has a dc and the hq site has two with the fsmo roles distributed between the two at hq. So two questions to start with:

1. What will be the impact of having the fsmo role holding domain controllers inaccessible for a period of 14 hours?

2. What will we be facing once we regain power and turn the hq dc's back on?

Look forward to hearing back about this - the power outage is this weekend though!!

By default, Domain controllers listen on port 389 for LDAP queries.

Is there a way to modify the port number? Please let me know the steps to modify. What are the other things to be taken care of while changing the default port? like any change in DNS server, etc. Are there any other implications ?

Hi,

Recently we got the request from IT security team to remove domain admin privileges for any IT user account even Sr. System Administrator. As per them it is not recommended to login with domain admin account on workstation so they asked me to create standalone account for workstation and use domain admin account only for login to servers.

I need someone recommendation regarding this and if yes then please mention some points why it not recommended to have domain admin privileges for System Administrator for daily usable account.

Appreciate your quick response regarding them.

Regards,

Hakim. B 

Hakim.B Sr.System Administrator