Quantcast
Viewing all 31638 articles
Browse latest View live

Domain Controller not replicating

November 27, 2014, 11:08 am
$
0
0

Hi Guys,

I have a VM that's a DC but it runs a demo server 2012...I would like to create another DC and license it properly, but I have tried creating another VM and it doesn't replicate. As soon I shutdown my original DC the Active Directory on the new one goes blank and I get errors. I also tried promoting my host server to a DC and I get the same problem. The Sysvol share doesn't replicate. My DNS settings on each server points to each other, as I have read on various forums. Not sure what's really going on, is it because my DC is a demo windows? Please assist me with this problem, thanks.

Regards,

Jevon.

Search

Roaming profile on Windows Server 2012 R2: Profile doesn't get created when logon to Domain Controllers

November 25, 2014, 1:49 am
$
0
0

Hello,

I have 2 domain controllers running Windows Server 2012 R2 Standard across countries in one domain.

My goal is: Users should logon to any one of the Domain Controller and should get the same profile.

I have created a shared folder on 1 DC and specified it's network path for roaming profile in all user's properties in AD.

The issue is, when I logon to any DC using Domain User, I can logon successfully, but user profile doesn't get created in the shared folder. So, when I logon to other DC, I  don't get the same profile contents. As it is creating profile locally on DCs.

I don't want to join any PCs to my domain. I want users to take RDP of DCs and use them with same profile on both DCs.

Please help me to resolve this issue.

Thank you in advance.

Regards,

Shailesh

Windows 7 workstation

November 27, 2014, 11:25 am
$
0
0

Hi All,

Can anyone help me to know below issue.

I tried to login on my workstation today and unfortunaetly i got a msg stating to change your password ( which bydefault  users passwords should get changed  after 30days and can be changed by admin priveledge if required) * Please correct me on this point.

Issue: when i changed my password it process for it  and got changed but what i am looking for the answer is what exactly its performing in the background and its show's a curser rotating for some seconds, so how is my worksation  getting updated with password and also in my AD account environment.

Any link or article which can clear my doubt ?

Thanks

Atul Srivastava

Running Dcpromo Failed

November 27, 2014, 10:04 am
$
0
0
could anyone Please tell me the cause while doing DCPROMO and its perform nothing on the screen.

what can be a root cause for this issue and how can i troubleshoot this kind of issue.

Scenario : a newly configured Windows server2008 r2 and RUN - dcpromo for AD installation.

please check nameing context and try again.

RUN->DCPROMO ( Enter) or CMD -> c:\windows\system32> dcpromo (enter key).

Thanks

Atul Srivastava



Delegating Permissions

November 27, 2014, 6:14 am
$
0
0

We have created a group with some permissions in for our IT Apprentice.

These include create user accounts, reset passwords, unlock accounts, modify membership of a group, join and remove computers from domain and rename computer. 

 The permissions have been assigned to a group and the apprentice is a member of it. All of the permissions work correctly apart from renaming a computer. I created a test use this morning and put that in the same Workstation Admin group it is able to rename machines but the apprentice cant. I've searched about the web but don't seem to be able to find a solution to this.

Any help would be greatly appreciated 



LookupAccountName fails with error The trust relationship between the primary domain and the trusted domain failed

November 25, 2014, 11:01 pm
$
0
0

I have very basic question here...

I have a situation where friend of mine claims that he has a parent child domains created. As they are parent child domains there is two way transitive trust created by default...

But when I try to run Python application which internally calls win32security.LookupAccountName("", LocalSystem), it is taking approx. 2 minutes to complete and fails with exception "The trust relationship between the primary domain and the trusted domain failed " - Error Code -1788

Any idea what could have happened ? And how to resolve this ? Is there any way to verify the trust relationship between these domains ?

DCPROMO a CA failure

November 26, 2014, 5:54 am
$
0
0

Hi, 

I have a certificate authority installed but now I want to promote this server to a domain controller, however when i dcpromo it tells me that I need to remove certifcate services before I can dcpromo? I know its possible to have both on the same server so why does it insist I need to remove the CA before I can promote a DC?

Thanks

Geraint

Issue with cross-forest trust after been working for 6+ months

November 10, 2014, 7:51 am
$
0
0

Hi all

Hoping to get some help on an issue that started today and so far has got me scratching my head. 

We started getting calls from our user base that they could not access mapped drives and desktop shortcuts that points to file servers residing on a different AD forest. They get presented with a login prompt which never happened before.

We can ping domainB.local for the most part, they have some domain controllers around the world we cant connect to.

nslookup domainB.local also works fine. we get about 8-10 domain controllers where we can only get to 6 of them (UK and Germany)

Other troubleshooting info:
using \\SERVERIP\share seems to work. users do not get asked for creds
Opening AD Users and computers on our main Domain Controller we cant change domain to domainB.local we get something about username and password. doing this from the other side seem to work.

hope someone has heard of this before and can offer some assistance.

myself and the team i work for suspect something in DNS but then again we can ping and resolve just fine. users from DomainB.local do not have issues accessing resources our on our side.

Search

DNS nslookup ends with Time out issue

November 18, 2014, 11:36 pm
$
0
0

Dear All,

In my Environment, I am facing the below issue.

Getting Time out error when we use smaller case in server name

C:\>nslookup server101a.mydomain.com
Server:  dns0001.mydoamin.com
Address:  10.52.25.6

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name:    Server101A.mydomain.com
Address:  10.52.68.89

No errors when we use Uppercase in Server name

C:\>nslookup SERVER101A.mydomain.com
Server:  dns0001.mydoamin.com
Address:  10.52.25.6

Name:    SERVER101A.mydomain.com
Address:  10.52.68.89

Can any one of you please tell me what might be an issue and how to fix this.

Regards,

Thenna

D.Thennarasu

The Naming Context could not be found when demoting DC

September 9, 2014, 11:47 pm
$
0
0

Hi

I have a problem getting a dc demoted. In preparation for this demotion I gracefully moved all the fsmo roles to another dc without any errors. As such I started the demotion process, but got an error saying that the naming context could not be found on the dc I wish to demote (when I run repadmin /showrepl from the dc holding all the fsmo roles).

It fails on the DomainDnsZones directory partition.

Strangely, if I run the exact same command from a third dc as well as the dc I wish to promote no errors are displayed under repadmin /showrepl.

MSA Account Naming Rules?

November 26, 2014, 9:39 am
$
0
0

Hi, this is originally from https://social.msdn.microsoft.com/Forums/sqlserver/en-US/f15bd9f3-2e14-42e1-a6d0-576f7dd74ded/msa-account-naming-rules?forum=sqlsetupandupgrade.  Does anybody know of any special naming rules for MSAs?  We have an issue with embedded $ characters in the name.  I seen other report issues when using more than 15 characters, but have not tried it myself.  For the $ within the account name, there was no error creating the account; however, the account was not to be found.  It works fine once we removed the embedded $ chars.  Is this a known limitation in directory services or the tools used to mange it?  I'm interested in knowing the details because we are starting to use MSA.  A naming standard will be affected by rules - hopefully now rather than later.  Thanks.

Randy in Marin

DCDIAG question

October 31, 2014, 9:53 am
$
0
0

I have 4 2003 DC's that i am running dcdiag on in preperation for an upgrade to a 2012 forest. The forest and domain are at a 2003 level. So far everything is looking good but i do not know what this is. Can someone tell me what this information from DCDIAG means? Also what I need to do to make this come up properly.

Thanks for your help.

Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 

Thanks for your help

IP Based HRD in AD FS Windows Server 2012 R2?

November 28, 2014, 1:53 am
$
0
0

Hi,

At this moment I'm doing a project for a large financial customer in The Netherlands who plans to upgrade their AD FS 2.0 farms to AD FS Windows Server 2012 R2 (3.0).

The reason this customer needs to upgrade is because they are going to migrate from SharePoint 2007 to SharePoint 2013 and the last one is using dynamic URL's when you create a SharePoint App. So to federate with AD FS this is only supported in the latest AD FS version.

The customer is using AD FS to federate with all web applications based on SharePoint technology and some other web applications. The customer is also using multiple IdP's (External, Government, Internal, Customers and Stakeholder organizations) for their Relying Party trusts and does not want users to have a selection screen to select the correct IdP before they login. This is called Home Realm Discovery (HRD).

On their current platform they have customized the web.config and created a HomeRealmDiscovery.asp.cs to create a temporary domain cookie which determines the IP address of the source client and selects the correct IdP when they connect to a Relying Party Trust. This process will be triggered to determine if a user is from an internal client but also to determine if the user is coming from a specific external partner organization. In this case no users will be asked to select their corresponding IdP when they login to an application.

In AD FS 3.0 the HRD process is improved. You can now enable IntranetUseLocalClaimsProvider on the ADFS Properties for the AD FS farm. This solves a part of the problem which will be the determination of internal clients. It however doesn't solve the problem to determine a partner organization based on their IP Address.

The second part of the new HRD improvements (the OrganizationalAccountSuffix which can be set on the AdfsClaimsProviderTrust) aren't much of use in this scenario because not all partner organizations use and will never be using an e-mail address or UPN to login to the application.

I also thought of doing some custom coding in a new Authentication Provider based on the Microsoft.IdentityServer.Web namespace. But I don't know if this will work and how to create this because the namespace is poorly documented for use with AD FS 3.0.

I have found some blog post on the net where a similar scenario is described but they solved it in SharePoint to create a redirect. Since we are not only using SharePoint and we preferably want to have the HRD logic on AD FS and not on the application side this doesn't help very much.

Does anyone have any ideas how i can tackle this issue?

Ps. I'm also considering opening a Microsoft support case.

Thanks


Cor

Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard | Please, feel free to nominate me for MVP @ https://mvp.support.microsoft.com/gp/mvpnominate

Single sign on between two websites in two different organisations using ADFS

November 19, 2014, 1:20 pm
$
0
0
We know that there are multiple ways to use ADFS for single sign feature. Here is the scenario which I need to resolve:

One .Net web application is on DMZ network within an Organisation. We also have Active Directory on DMZ which have to be used for keeping credentials of users logging into this web application. Another .Net web application is on DMZ network within another organisation. We want to implement Single sign feature in between these two web applications.

The question is if we want to have SSO implemented, then will this be possible by just deploying an ADFS server on first organisation without any ADFS  proxy server? Also, is it fine if we don't have any federation server within second organisation?

Network card DNS configuration in Domain Controller

November 28, 2014, 4:39 am
$
0
0
Hello, Here is the scenario

ABC.COM - Single Domain -Single Forest Architecture. I have 3 AD sites and 2 DCs in each site.

Site A - DC1(PDC, FSMO), DC2(ADC)
Site B - DC3(ADC), DC4(ADC)
Site C - DC5(ADC), DC6(ADC)

All the sites are linked with excellent band width network link.

I don't have a bridge head server config , all DCs act as GCs and an AD integrated DNS server.

I want to know the best way of IP address pointing(Primary DNS IP & Secondary DNS IP) in network card of each DCs in all sites.
Search

Disk2VHD'd legacy 2003 server now can't login or access share

November 27, 2014, 6:34 pm
$
0
0

Hi,

We have a legacy 2003 server which we virtualized using Disk2VHD. Now I am unable to login to the server using a domain account and the shares that were on the original machine are inaccessible. This is the error when I try to login (the domain is definitely not down):

Image may be NSFW.
Clik here to view.

This virtualized server is not ready for production so I don't want to take the old physical machine off the domain and then re-add the virtual server to the domain. Is there another way to get this working?

Export All Contacts with all attributes

November 28, 2014, 1:45 am
$
0
0

Hi ,

Can any one help me to Export All Contacts with all attributes ( with email).

Thank You,

RODC Logon Server Query

May 14, 2013, 10:59 pm
$
0
0

Hi Friends,

I have created a lab enviroment where i have one DC and RODC, and already replication is happening, then i stop the DC to check whether RODC is working, and also i removed user profile from local system, then when i am trying to login to the system login process is happening from RODC cached but its showing logon server showing as DC  server itself,

So my question is if DC is not avaliable then why its showing logon server as a DC.

Please any one help me to over come from this issue.

Regards

Sajin

AD Web Service Error 1202

February 8, 2010, 5:11 am
$
0
0
We are seeing this error every 1 minute on two Windows Server 2008 R2 domain controllers that were recently installed at a remote site:

Source: ADWS
Error: 1202
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.

Directory instance: GC
Directory instance LDAP port: 3268
Directory instance SSL port: 3269

WinRM load CPU 100%

October 20, 2014, 12:33 am
$
0
0

I have 9 Domain Controllers 2012 (not R2) and one DC 2008R2 in one Domain. Damain has 5 sites. There are some trusted domains. All DCs are VirtualMachines on VmWare. Damain and Forest tevel - 2008R2. 

All 2012 DCs have the same problem. WinRM load CPU on 100% and DC doesn't answer on requests, ping works, RDP try connecting but can't sign-in. The problem appear randomly (not simultaneously) on all DCs. DC 2008R2 works good.

I dasabled WinRM on all DCs and users can works but I need WinRM.

Thanks!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>