Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD/DNS problems

December 9, 2014, 12:53 pm
$
0
0

Pretty generic domain:  Two DC's, ServerA and ServerB.  Server B crashed one night, and it turned out to be the On/Off switch.  Once I replaced that, it came back up, but there is a problem with DNS for some reason.

On ServerB, DCDiag /test:DNS gives:

      Starting test: Connectivity
         The host 5e864aa9-dbc3-4258-8b27-69e53267ef60._msdcs.domain.local could no
t be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (5e864aa9-dbc3-4258-8b27-69e53267ef60._msdcs.domain.local) couldn't be
         resolved, the server name (serverb.sks.local) resolved to the IP address
         (192.168.1.98) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... SERVERB failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ServerB

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : Domain

   Running enterprise tests on : domain.local
      Starting test: DNS
         Test results for domain controllers:

            DC: ServerB.Domain.local
            Domain: Domain.local


               TEST: Basic (Basc)
                  Error: No LDAP connectivity

            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network a
dapters

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: sks.local
               ServerB                        PASS FAIL PASS PASS PASS FAIL n/a

         ......................... domain.local failed test DNS

In the DNS console on both servers, ServerB has the correct GUID.  In ADUC, on ServerB, operations masters show ERROR.  If you change them to ServerB, the change takes effect on both servers, but if you change it back on ServerA, it shows ERROR again on ServerB.  The DNS test runs clean on ServerA.

It has only been like this for a day, and frankly I might not have noticed anything, except I made a small change to a logon script, and a user complained the change hadn't taken effect.  Sure enough, no replication.

Search

Backup Restore of ADRMS Database

December 8, 2014, 11:49 pm
$
0
0

Hello All.............I have ADRMS Database on Physical SQL Cluster on a separate instance, but we need to move the Instance along with Database to a new Virtual SQL Cluster.  The approach I am looking at is Backup and Restore.

1.  Is this a good approach? Workable?

2.  What would be required at the Target Virtual SQL Cluster?

     -Same SQL Version?

     -Same Instance Name?

     -Same Service Accounts?

     -Same Drive Letters for Database Location?


Any help would be appreciated.

Information on restoring a deleted object from Active Directory

December 8, 2014, 4:08 pm
$
0
0

Hi Team,

My name is Suresh. I need an information with regards to object restore in Active directory.

When I am restoring an deleted object using LDP.exe, what changes will happen to the object ?

1. Will the object restored from where it is deleted ?
2. Will the object have all the group membership settings ?
3. what property changes will happen in the object ?

Please explain me.

Thank you in Advance :-)

Reg,

Suresh

Logon Server N/A

December 3, 2014, 7:15 am
$
0
0

Ok,

So here is the dilemma, which i honestly have been on for the past month, and can't seem to track down the issue. It hasn't been just me either, there was a support case from Microsoft created, and they can't seem to figure this out either, so if i get no replies here i understand why. (open to suggestions)

The issue is that the Domain logon server itself is disappearing, which in a high load environment i would understand and think this is likely an issue with over utilization.. The environment here is 34 people, and at any given time there is only 20 - 25 in the office. But, for whatever reason, i am getting clients disconnecting from the domain controller. I had created a Domain policy to try to force the systems to wait for the network, thinking this would at minimal point out if this is a network issue, or a server issue.. But the Policy setting doesn't seem to make a difference.. (Wait for network and require domain controller to log into the PC)

The DC is a 2k8 server x64 running 64GB of DDR2 Registered memory

It has 2 8 core Xenon processors

It is a Raid6 with SSD's that do 6GBPS

The server is fully patched, all drivers NIC and all have been updated, there is no NIC teaming.

The server is rebooted 4 times a year, once every 3 months.

The network is a Gigabit network using Cat6 and Juniper hardware

There is no internal firewalls and the servers do not run an AV.

The Desktops are all windows 7 X64 and vary as to hardware, with the worst being Core2's and the best being I7's.

Memory varies from 4GB - 16GB

Hard disks are all at least 250Gb and SATA 7200RPM

All the windows 7 machines are updated weekly with WSUS

All the 7 machines have an AV installed, all the same, all have the Firewall turned off and network discovery turned on.

They were all clean builds never using ghost or any cloning.

I haven't been able to track down where the issue is coming from, has anyone else seen this issue? 

Rob

Unable to pre-create RODC account

November 20, 2014, 4:37 am
$
0
0

Hello everyone!

I have one domain controller on windows 2012. Recently upgrade it to Windows 2012R2. Now i unable to create RODC account. After i specify info about name, site and etc install is begining, but after some seconds i receive a error.

The operation cannot continue because LDAP add operation failed: object "CN=ServerName,CN=Domain System Volume (SYSVOL share),SN=File Replication Service,CN=System,DC=domainname,DC=domainname', error: 2 (The system cannot find the file specified.).

Shares Sysvol and Netlogon works fine. I see it in net share and i can connect to from network. SysvolReady key is 1. dcdiag /test:netlogons passed.

Anybody help me.

MSA Account Naming Rules?

November 26, 2014, 9:39 am
$
0
0

Hi, this is originally from https://social.msdn.microsoft.com/Forums/sqlserver/en-US/f15bd9f3-2e14-42e1-a6d0-576f7dd74ded/msa-account-naming-rules?forum=sqlsetupandupgrade.  Does anybody know of any special naming rules for MSAs?  We have an issue with embedded $ characters in the name.  I seen other report issues when using more than 15 characters, but have not tried it myself.  For the $ within the account name, there was no error creating the account; however, the account was not to be found.  It works fine once we removed the embedded $ chars.  Is this a known limitation in directory services or the tools used to mange it?  I'm interested in knowing the details because we are starting to use MSA.  A naming standard will be affected by rules - hopefully now rather than later.  Thanks.

Randy in Marin

What Microsoft recommend on installing a SIEM agent on AD and Exchange ?

December 2, 2014, 8:05 am
$
0
0

Can you please advise what Microsoft best practices are on installing SIEM agents on AD and Exchange for log collection.

For Instance Qradar solution insists to install WinCollect on AD and Exchange, but I am reluctant fearing that it will utilize compute and memory resource creating bottlenecks..

I would rather collect information through WMI..

Any Microsoft document strengthening my opinion?

Ikhlass M. Wardally

Discussion on Windows Server Active Directory services

December 10, 2014, 2:32 am
$
0
0

Please find the below Replication report ,domain partition is not replicated showing as never replicated and other 2 is replicated and finally domain dns zone and forest domain zone is failing with 1722 error. what could be the problem here.

Destination DSA   SiteDestination DSANaming ContextSource DSA SiteSource DSATransport TypeNumber of FailuresLast Failure TimeLast Success TimeLast Failure   Status
SDCDSR-BLRSDC-DC01DC=DSR,DC=INPutturPUT_R1RPC00(never)0
SDCDSR-BLRSDC-DC01CN=Configuration,DC=DSR,DC=INPutturPUT_R1RPC0012/10/2014 14:020
SDCDSR-BLRSDC-DC01CN=Schema,CN=Configuration,DC=DSR,DC=INPutturPUT_R1RPC0012/10/2014 14:150
SDCDSR-BLRSDC-DC01DC=DomainDnsZones,DC=DSR,DC=INPutturPUT_R1RPC11012/10/2014 11:33(never)1256
SDCDSR-BLRSDC-DC01DC=ForestDnsZones,DC=DSR,DC=INPutturPUT_R1RPC11012/10/2014 11:33(never)1256

Search

Migrating ADFS 2.0 from win server 2008R2 to new Win 2008 R2 server

December 10, 2014, 4:12 am
$
0
0

Hi,

I would like to know if there are any instructions available on how to migrate ADFS 2.0 service to a Win 2008R2 server. The only guides I have found are about migrating from 2008R2 to 2012R2.

I would very much appreciate if someone could shed some light on how to do this?

Thanks

//Cris

Communicating with DCs on their NAT address

December 2, 2014, 12:44 pm
$
0
0

Hi,

I've recently been asked to manage a small 2003 domain, called “school-dom”. The DCs are on a 192.168.2.xx address  and hosted at the HQ site. Several satellite sites have PCs which remotely connect in. These PCs are all on 10.216.xx addresses. NAT is used to communicate with the DCs, which has been done by configuring NAT at the firewall and adding AD DNS A records for both DCs with their 10.216.xxx NAT addresses.

An issue was discovered whereby the DCs deleted these DC NAT A records from DNS, so the previous admin decided to perform a deny system on the DC’s 10.216.xx A records to get around the auto delete. This setup used to work, but we've recently hit an issue whereby when a new PC is put on the 10.216.xx network and an admin tries to add it to the domain, the PC fails to join the domain. Pinging the domain name and doing an nslookup against the domain returns the correct internal IP of the DCs on their 192.168.xx addresses, but the PCs on the 10.216.xx network can’t communicate with the DCs on 192.168.xx addresses. Why this worked before and not now, nobody knows. If a host record is added on the client mapping the school-dom domain to the NAT IPs of the DCs, then domain join works. The clients can ping and tracert to the DCs on the NAT address, but not the internal 192.168.xx addresses. Domain ports are open from the client to the DCs (tcp 123, 135, 3268, 389, 445, 53. UDP 53, 88, 123, 135, 3268, 389, 445)

I've been asked to come up with a solution of resolving this without making client side changes (e.g. hosts file). I’m thinking of:

1. Checking with networks to see if it’s possible to route traffic rather than NAT.If doable, then get rid of the DC NAT addresses.
2. Introducing a new 2008 R2 DC and configuring proper sites and assign the DC with a 10.216.xx address.
3. Making the registry change in the article above (least preferred).

Some advice on resolving this would be appreciated.



Random Kerberos error KRB_AP_ERR_MODIFIED on boot up of Windows 7

November 11, 2014, 6:13 am
$
0
0

Hello,

For a few weeks now we have been stuck on a problem with kerberos errors randomly showing up on boot up of our Windows 7 clients.  We have concluded that these random errors show up far more often on wireless notebooks, and for some reason more often on some than on others.  

I have done wireshark captures of a notebook when it is working and when it is not working.

As you can see, in the top image (you will have to zoom in on the page in your browser), when it is working it shows that it connects with no kerberos error and it connects to the dns name of the server, in this case DC1.domain.ca and downloads the policy.

When it is not working it will give the kerberos error, and then try to connect to the hostname of the server \\dc1\ipc$ and it will fail to read the group policy.

I have done a lot of research and I know about resetting the domain controller computer account, checking the SPN's, and verifying that the the secure trust rerelationships good between the servers, checking for duplicate DNS entries, etc.

The problem I have is why is it so random.  All of the posts online talk about these problems and the solutions, but they never mention that it is completely random.  I can reboot this laptop 5 times and it will work perfect, but then it won't work 3 times in a row, then it goes back to working again.

Am I completely off track in trying to fix errors on the DC's and I should be looking at a hardware issue or a driver problem on the client side?

One other note is that when you get a kerberos error on boot up, if you wait up to 30 seconds, the client will try the connection again and it will succeed with the connection just as it is in the working one.  This is great, but most users have already tried logging in within 30 seconds and the GP's have then already failed.

Thanks,

Dan.


Regarding Active directory configuration

December 5, 2014, 9:25 pm
$
0
0
We have one PDC and one backup PDC and 272 ADC in our Organization .all server will communicate to PDC for replication as per the design. we are facing the the issue in replication domain dns zone and forest dns zone is not replicating getting 1722 error. we have created separate site link for all site and we put pdc site and local site in the site link. what is the best practice  for site link and cost and replication timing for 272 ADC from PDC.

Domain Controller not replicating

November 27, 2014, 11:08 am
$
0
0

Hi Guys,

I have a VM that's a DC but it runs a demo server 2012...I would like to create another DC and license it properly, but I have tried creating another VM and it doesn't replicate. As soon I shutdown my original DC the Active Directory on the new one goes blank and I get errors. I also tried promoting my host server to a DC and I get the same problem. The Sysvol share doesn't replicate. My DNS settings on each server points to each other, as I have read on various forums. Not sure what's really going on, is it because my DC is a demo windows? Please assist me with this problem, thanks.

Regards,

Jevon.

Active Directory Sites configuration

December 10, 2014, 11:49 am
$
0
0

hello All,

We have 4 sites in AD and each site has 2-3 domain controllers. These sites are physical and represented correctly in AD sites and service with correct subnets associated to each site name.

My only concern is that, when i see inter site transports and for IP, there is only Default site link and no other links

What does this mean? is this not correctly configured??

Thanks in Advance!!

AD account keeps locking out every 10-15 minutes references tmg server

December 10, 2014, 1:01 pm
$
0
0

a. Issue began last Thursday (office 2003, xp), pc has been since replaced with windows 7/office 2010 (new pc, new pc name)

b. password has been changed multiple times and forced on different DCs, also changed back to the original password.

c. exchange account was removed from iphone, added back on, removed. Iphone was turned off for a day and it still occured.

d. user logged off and it still occurs.

e. used lockoutstatus and eventcombmt:

-its not another pc

-the only DC and lockout events point to a TMG server. The TMG server points to no culprits or errors.

f. bad attempts come in bursts of 4 or 1 at a time, hit 10 then lock the account out.

g. nothing in owa, no forwarding, no malware (new image) and no pcs she logged in to. home pc is offline just in case itunes or something was running it was powered down yesterday. all nearby pcs rebooted just in case.

h. no vaulted/cached creds in windows

i. new office and windows profiles tested

"Their password has been set, mailbox moved, active sync enabled/disabled/enabled, pc reimaged to Windows 7, new profiles and multiple password resets including back to their original password and again to a new password. Exchange was removed from her phone for two days and added back on today without a change (iphone"

example DC errors:

MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Logon Account: xyz  Source Workstation: Cremovedservername Error Code: 0xc0000234 

4776,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Wed Dec 10 13:44:39 2014,No User,The computer attempted to validate the credentials for an account.    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Logon Account: xyz Source Workstation: Cremovedservername   Error Code: 0xc000006a 


Search

Workplace Join Device Authentication Issues

December 10, 2014, 1:48 pm
$
0
0

In my test environment, I have created an ADFS 3.0 infrastructure to test out the Workplace Join feature set. I have been able to successfully "workplace join" both an iOS device and a Windows 10 machine. The objects themselves exist inside of active directory.  I turned on the "Device Authentication" check box under the global authentication policies but I must still be missing something.

I can't really tell that the "Device Authentication" is actually working.  As a test, I turned on MFA required for "Unregistered Devices" and ADFS never really detects the device as "Registered".  This would be much easier if I had some sort of error to track down, but there are no particular errors.  The successful device registration is written in the event logs, but I'm not sure where else to look for issues? 

Just looking for ideas of things to check.

DNS issues from one domain controller to another (but not the other way) nslookup DNS request timed out

December 7, 2014, 9:36 pm
$
0
0

Hi All

I've been trying to trudge my way through an issue our client is having but I'm getting nowhere fast. This issue was discovered when searching for why users at our second site were experiencing slow logons every morning (5-10minutes to login).

Within our domain there are two domain controllers for the child domain we manage.

DC1 has connection back to the parent DC's (managed by our clients parent company), and also replicates both ways with DC2. DC2 is at another site, on another subnet and replicates to and from DC1 only.

DC2 appears to have no issues, it can resolve any address, nslookup either using itself or DC1 is fine and name servers resolve fine.

DC1 has massive issues with DC2 - using it for nslookup gives me the following:

I get this timeout error for internal and external names, but both DC's are able to ping and access internet with no issues.

When trying to resolve name servers from DC1, DC2 sits at 'validating' for a while and then comes back with 'a timeout occurred during validation'.

Restarting DNS Server, NETLOGON and registering in DNS from DC2 had DC1 talking to it fine for a few minutes, but then it went back how it is (and I haven't been able to replicate this fix since).

Reverse DNS zones are setup for all the subnets used, there are A records and PTR's for both DC's.

Performing 'ping -a dc2.ip.address' from DC1 comes back fine - it knows what it is in both directions (name and IP) but nslookup and nameserver resolution is still failing.

I just don't know where to go from here - from everything I've read they should be happy... Any ideas?

Add AD DS Role to Server 2012R2 fails 0x800f0831

December 3, 2014, 3:25 am
$
0
0

Windows Server 2012 R2 on ESXi 5.5 10GB RAM 200GB HD

Add Role AD DS fails

Using the Server Manager to install AD DS, fails with error:0x800f0831. I can add DHCP role as a test that worked fine. and removed it also fine.

Have tried Reboots etc. All fully patched apart from Nov2014 Rollup package. No other roles or soiftware running. machine is on an existing domain with no errors.


I have also installed Net Framework 3.5, as I suspected the error may be indicating that was needed. It installed fine but no change in adding the AD DS role still fails exactly the same (about 75% of the blue bar)

Active Directory forest which need to be sync with Office 365 E1 plan

December 10, 2014, 10:32 pm
$
0
0
we have multiple local Active Directory forest which need to be sync with Office 365 E1 plan, how we can do that?

Primary Admin account in AD locked out

December 6, 2014, 8:07 pm
$
0
0

Hi,

The primary admin account (account used to create this forest) on the domain contoller is showing locked out. We have admin tools installed on a different computer and we can just see the account is locked out. The password policy is configured for 5 attempts. Is it possible that the primary Admin account also be locked out ...as per my understanding it will be locked out and will be unlocked the moment we enter correct password.

Regards

Saurabh

Viewing all 31638 articles
Browse latest View live
Search