Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

non-authoritative restore vs new server

$
0
0

Hi all.

Why do we non-authoritative restore? Much easier to promote new server and replicate it.


Add AD DS Role to Server 2012R2 fails 0x800f0831

$
0
0

Windows Server 2012 R2 on ESXi 5.5 10GB RAM 200GB HD

Add Role AD DS fails

Using the Server Manager to install AD DS, fails with error:0x800f0831. I can add DHCP role as a test that worked fine. and removed it also fine.

Have tried Reboots etc. All fully patched apart from Nov2014 Rollup package. No other roles or soiftware running. machine is on an existing domain with no errors.


I have also installed Net Framework 3.5, as I suspected the error may be indicating that was needed. It installed fine but no change in adding the AD DS role still fails exactly the same (about 75% of the blue bar)

recover deleted GPO 2008

$
0
0

I had a bad accident this morning.  To make a long story short, I accidentally deleted a GPO.  It was called "Employees".  As you can guess, it contained a few groups, like Finance, QC, and Engineering, for instance. The domain has one 2008 R2 and one 2008 DC, both are GC. Domain functional level is 2008, Forest level is 2003.

To make matters worse, I don't have a good backup of the System State, or the GP.  Also, the replication has occurred to the only other DC in the domain.  As God is my witness, I will never be put in this position again.

I know that AD objects are tombstoned, and so I should be able to recover them.  I'm looking for a way to recover these items, intact. 

Any/All suggestions are welcome.


active directory application partition cross - reference object GUID

$
0
0
hi,

in the "How Data Store Works" web page of Technet website , in the "GUID names for cross-reference
objects" section it says :

"In the case of application directory partitions, there is no
associated NetBIOS name, only the DNS name. Given the nature of DNS
hierarchical naming, which allows identical left-most name components,
a cross-reference object cannot use the left-most DNS name component
as its relative distinguished name. For this reason, cross-reference
objects that reference application directory partitions use ** their
object GUID **as their relative distinguished names."

my question is that **their object GUID** , what object is that?
the cross-ref object's GUID is different than the object guid written
in CN parameter. I also checked the Object GUID of application
directory partition, that's different too. I tried to use the ldp to
find the object based on GUID attribute , but it says the object not
found.

I would be very glad if you could help with this.

thank you.

Windows2003 R2 to WIndows 2012 R2

$
0
0

We are in the process of upgrading AD from Windows 2003 R2 to Windows 2012 R2. Are there any good articles on this?

Also, how the forest trust to be taken care of during the upgrade? we have applications that use NTLM, what is the recommended option is the application do not support NTLM v2 ?

Are there any good utilities that I can run on AD to let me know what are the applications authenticating with AD?

How to setup DNS on RODC

$
0
0

Hi i've recently setup a RODC for a branch office without DNS server role; however now i need to add the role how should i setup the DNS so it is able to retrieve from a RWDC with AD integrated DNS.

Thks for any info

Primary Admin account in AD locked out

$
0
0

Hi,

The primary admin account (account used to create this forest) on the domain contoller is showing locked out. We have admin tools installed on a different computer and we can just see the account is locked out. The password policy is configured for 5 attempts. Is it possible that the primary Admin account also be locked out ...as per my understanding it will be locked out and will be unlocked the moment we enter correct password.

Regards

Saurabh

diffeent logoN on server and Group policy server

$
0
0

Hi,

Upon troubleshooting some group policy related issues i happen to see different Logon servers and gp applied from server.

When i run nltest and SETL command i get a different server

When i run gpresult /r i get a differnt server on "Group Policy was Applied from "

Interesting part is that the bothe servers are in same Site.

Also if i just run ping domainname i get different server . Checked on few machines and mostly on each machine it is going to different server..


DNS issues from one domain controller to another (but not the other way) nslookup DNS request timed out

$
0
0

Hi All

I've been trying to trudge my way through an issue our client is having but I'm getting nowhere fast. This issue was discovered when searching for why users at our second site were experiencing slow logons every morning (5-10minutes to login).

Within our domain there are two domain controllers for the child domain we manage.

DC1 has connection back to the parent DC's (managed by our clients parent company), and also replicates both ways with DC2. DC2 is at another site, on another subnet and replicates to and from DC1 only.

DC2 appears to have no issues, it can resolve any address, nslookup either using itself or DC1 is fine and name servers resolve fine.

DC1 has massive issues with DC2 - using it for nslookup gives me the following:

I get this timeout error for internal and external names, but both DC's are able to ping and access internet with no issues.

When trying to resolve name servers from DC1, DC2 sits at 'validating' for a while and then comes back with 'a timeout occurred during validation'.

Restarting DNS Server, NETLOGON and registering in DNS from DC2 had DC1 talking to it fine for a few minutes, but then it went back how it is (and I haven't been able to replicate this fix since).

Reverse DNS zones are setup for all the subnets used, there are A records and PTR's for both DC's.

Performing 'ping -a dc2.ip.address' from DC1 comes back fine - it knows what it is in both directions (name and IP) but nslookup and nameserver resolution is still failing.

I just don't know where to go from here - from everything I've read they should be happy... Any ideas?

The server does not support the requested critical extension (0x8007202c)

$
0
0

Hello guys,

The sympton is the same as the one in https://i1.social.s-msft.com/globalresources/Images/trans.gif?cver=0%0d%0a"The server does not support the requested critical extension." Exception.

I got the error in calling IDirectorySearch::GetNextRow. As I observe, the error is trigger when retrieving the another page of records. The LDAP path to connect is "GC://<FQDN_of_GC>". The search filter is (&(|(objectClass=group)(objectClass=msExchDynamicDistributionList))(mailnickname=*)). There are about 100 thousands of group objects in the forest. So the answer in that thread does not help.

Any thoughts?

Thanks.

 


Msts.cn@Outlook.com

Active Directory Users and computers Starting Slowly

$
0
0

Dear Microsoft,

I am Using the Server 2012 with ADC, DHCP and DNS.

When ever i opening the AD Users and computers it's Loading Very Slowly and after opening ever action is very slow and not responding...

i checked in the events it shows below message "

The program mmc.exe version 6.2.9200.16496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 Process ID: 2004
 Start Time: 01d00d1b42833369
 Termination Time: 4
 Application Path: C:\Windows\system32\mmc.exe
 Report Id: 830282b8-7b6c-11e4-948d-3440b5a3de19
 Faulting package full name: 
 Faulting package-relative application ID: 

How to find out what computers user logged on? (not at the moment but history)

$
0
0

Domain Controller: Windows 2012 R2 - Unfortunately, I don't manage DC but my own OU (computers and users)

I have a user working mid-night shift reporting that he received error message "The group policy client service fail the logon, access denied". He is using multiple PC and he did not remember which PC gave him the error message. How do I find out which computers he logged on? I have access to my domain OU. I can manage my own Computers and Users objects in my domain (no domain controller in my department)

I searched internet but most of them are finding out which computer user is currently logging on - not the history, thanks.



Thang Mo

Regarding Active directory configuration

$
0
0
We have one PDC and one backup PDC and 272 ADC in our Organization .all server will communicate to PDC for replication as per the design. we are facing the the issue in replication domain dns zone and forest dns zone is not replicating getting 1722 error. we have created separate site link for all site and we put pdc site and local site in the site link. what is the best practice  for site link and cost and replication timing for 272 ADC from PDC.

How to import ldif into AD LDS (data is from Oracle DSEE7 (Oracle Directory server enterprise edition).ldif

$
0
0

Hi Community, 

OS: Windows server 2008 r2 (Do let me know if i have posted in a wrong area) 

My experience is lacking in AD LDS , guidance will be greatly appreciated. 

Does anyone has import successfully from this format? 

Import .ldif file from (DSEE) to AD LDS along with user define schema 

If we are doing this on DSEE: 

Command to run is simply :

dsadm import <var style="border:0px;margin:0px;padding:0px;vertical-align:top;-webkit-font-smoothing:antialiased;">instance-path</var> <var style="border:0px;margin:0px;padding:0px;vertical-align:top;-webkit-font-smoothing:antialiased;">LDIF-file dc=example,dc=com</var>

I understand that under AD LDS import is via 

ldifde -i -f filelocation.ldf -s localhost:389 -k -j -c "cn=dc=example,dc=com" #schemaNamingContext

I have also created an application directory partition dc=example,dc=com in AD LDS.

Difference between Windows NT domain registry and Active Directory registry


Explaining "Active Directory" to non technical managers - any suggestions on a visual guide?

$
0
0

Hi folks.

Wondering if this is the right place to ask this question but you folks may have had the same challenge.. 

I need to explain on a high level (think in terms of explaining to a 10 year old child) how to explain Active Directory, GPOs and OU's etc to a group of non technical managers.

Do you know of any good resources that I can refer to that might have already addressed this challenge? 

I have to present a slide show and I think it needs to be very visual with nice diagrams etc.

Any links / references to existing resources and material is greatly appreciated!

Thanks a lot


Need to find out which application is making an frequent account lockout in AD

$
0
0

Hi ,

In my environment two of the user accounts are having an frequent account lockout.

We have found that the account lockout was happening in their own machines with the help of the event logs in the domain controllers.

Please tell us how do we find that which application on their machines are making an frequent account lock with the help of event logs else do we have some other options.

All of your suggestions are much appreciated.


Thanks & Regards S.Nithyanandham

AD LDS / ADAM using password policy hint to remember password history on reset

$
0
0

Hello,

I'm trying to set a new password for a user (using Java and binding via an account with create permission) and would like AD LDS to use the password policy that states history must be observed.

Even if I set the policy hints oid (as documented at http://msdn.microsoft.com/en-us/library/cc223320.aspx) with the value '0x1' (other developers are using the value { 48,(byte) 132, 0, 0, 0, 3, 2, 1, 1 } in Java with the ASN1OctetString class) it has no effect and previous passwords are ignored and the change occurs.

If I retrieve the rootDSE supported control OIDS or call supportsControl(1.2.840.113556.1.4.2066) or even same with 1.2.840.113556.1.4.2239 the server reports it supports it.

One thing that concerns me is that AD LDS or ADAM is not listed on http://msdn.microsoft.com/en-us/library/cc223320.aspx  as supporting this even though the server lists it on the rootDSE in ldp runnign on the server.

The O.S. here is Windows Server 2012 standard.

Can anyone confirm if this is indeed supported and if so provide any suggestions to enforce it?

Thanks,

Lumus



2012 Domain Prep fails in root domain

$
0
0

Hi

We are tryiing to introduce 2012 DCs into our root domain.

The schema has updated fine but the domain prep fails, both on the 2012 server we are trying to promote and whilst running it direct from the infrastructure server itself.

Replication is good and AD itself seems happy enough.   The account has the necessary rights.

Any help gratefully received.

Thanks

The error log contains:

Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d262aae8-41f7-48ed-9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=xxxx,DC=xx,DC=xx.
[2014/12/08:08:32:53.055]
LDAP API ldap_search_s() finished, return code is 0x20
[2014/12/08:08:32:53.055]
Adprep verified the state of operation cn=d262aae8-41f7-48ed9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=xxxx,DC=xx,DC=xx.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.
[2014/12/08:08:32:53.055]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=xxxx,DC=xx,DC=xx.
[2014/12/08:08:32:53.055]
LDAP API ldap_modify_s() finished, return code is 0x13
[2014/12/08:08:32:53.070]
Adprep was unable to modify some attributes on object DC=xxxx,DC=xx,DC=xx.

[2014/12/08:08:32:53.070]
Adprep encountered an LDAP error.

Error code: 0x13. Server extended error code: 0x20b5, Server error message: 000020B5: AtrErr: DSID-03152A9F, #1:
    0: 000020B5: DSID-03152A9F, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9054f (otherWellKnownObjects)

DSID Info:
DSID: 0x181112dd
ldap error = 0x13
NT BUILD: 9600
NT BUILD: 16384

[2014/12/08:08:32:53.086]
Adprep was unable to update domain information.

[Status/Consequence]

Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

remove domain controller 2008 from active directory

$
0
0

Hi,

I have 2 DC 2008R2 & i have 2 ts one of them don't get the GPO i do everything i found that my 2 dc don't replicate good i can see the different on sysvol folder.

After that i explain my self, My question if i remove the dc (its not the fsmo dc its the second), and after removing i add this dc ?

I need to check some checks before ?

After removing i need to delete from the dns record

?After Adding the same dc to the domain i need to check something ?

Thanks

Zahi

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>