Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

How to remove APIPA IP from Nslookup

December 21, 2014, 2:56 am
$
0
0

Hi,

While giving nslookup with my domain name. APIPA IP is appearing, kinldy help me on how to remove it from nslookup.


Search

I Need user and console information on all the printouts.

December 21, 2014, 10:12 am
$
0
0

Hi to Everyone.

We have a domain network in this network we have servers,work stations,printers ....all in are in domain network configured through Active Directory .

My question for example one work station (Windows 7 computer added in domain) name abcwks1 .

> Different users are configured for abcwks1 (work station) through Active directory like admin,operator and so on.

> suppose if i logged in through work staion abcwks1 using admin user (admin@abcwks1) ,if i give any printout from this work staion i want user@console (admin@abcwks1) information on each printout .

>Is there any way to get this information on Each printout given from this work station or   is there any where i can configure in active directory server ?

Note: Printer is also added in Domain we able to configure user information in Printer (admin) but not Console information (abcwks1) ,i want both information like admin@abcwks1 on each printout.

(We are Using Rcoh printers)

AD LDS on Server 2012 Password Policy Question

December 18, 2014, 11:05 am
$
0
0

Hello everyone,

In regards to AD LDS, I am still fairly new and am learning as I go.  Our domain policy does have password policies such as password expiration and complexity requirements.  Based on the reading, I do realize that the policies on the server (GPO or local) will control the settings within LDS.  I have been tasked with attempting to remove the password expiration on the AD LDS accounts at a minimum.

Based on an article I found, I opened ADSI Edit and open the configuration for the instance.  I went into CN=Services, CN=Windows NT and then CN=Directory Service.  In the properties or CN=Directory Service, I modified the msDS-Other-Settings and changed the 0 to a 1 on ADAMDisablePasswordPolicies.  However, when I go to my test users, the setting msDS-UserDontExpirePassword is still configured to <not set>.

Is there something I am missing?  Does this setting not retroactively set it to true?  Is there a way to change this for all users in one simple location?

Thank you.

EDIT : This is on Server 2012 R2

some users are not able to login

December 18, 2014, 4:41 am
$
0
0

Hi All

some computers including servers are not able to login domain i am getting below error

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server bnft-mail02$. The target name used was BNFT-MAIL02$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (B*****.LOCAL) is different from the client domain (B****.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

i have 3 domain controller  , 2 server is windows server 2012 r2 and one windows server 2003

action taken = Enabled scavenging 2 weeks back , but still problem reported .

HSTS Headers for 2012 R2 ADFS

December 18, 2014, 8:37 am
$
0
0

Is it possible to use HSTS (or other custom headers) when using ADFS 2012 R2. Is there a way to configure via HTTP.sys or onboard.js?

Thanks!

The server does not support the requested critical extension (0x8007202c)

November 29, 2014, 2:03 am
$
0
0

Hello guys,

The sympton is the same as the one in https://i1.social.s-msft.com/globalresources/Images/trans.gif?cver=0%0d%0a"The server does not support the requested critical extension." Exception.

I got the error in calling IDirectorySearch::GetNextRow. As I observe, the error is trigger when retrieving the another page of records. The LDAP path to connect is "GC://<FQDN_of_GC>". The search filter is (&(|(objectClass=group)(objectClass=msExchDynamicDistributionList))(mailnickname=*)). There are about 100 thousands of group objects in the forest. So the answer in that thread does not help.

Any thoughts?

Thanks.

 

Msts.cn@Outlook.com

Need KB969166

December 21, 2014, 7:09 pm
$
0
0

I'm trying to add a 2012 R2 DC to a very old domain (currently 2003 SP2). There's no ADWS on the old DC. When I try to install, it says I need an update to System.DirectoryServices.AccountManagement. All signs indicate that means I need the hotfix described by KB969166. When I try to download that from Microsoft, I can't seem to. Where can I get my hands on the update to the DLL so I can install ADWS and get my new DC up? Thanks

--  logs trying to install ADWS indicating I need System.DirectoryServices.AccountManegement.dll updated:

0.063: ================================================================================
0.063: 2014/12/21 21:41:02.451 (local)
0.063: c:\a11cd3f5b3c77c315020\update\update.exe (version 6.3.19.0)
0.063: Hotfix started with following command line:
0.063: In Function GetReleaseSet, line 1193, RegQueryValueEx failed with error 0x2
0.110: SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType is Equal To Specified Value
0.110: First Condition in Prereq.CheckIfAnyInstanceRunning.Section Succeeded
0.110: Condition succeeded for section Prereq.CheckIfAnyInstanceRunning.Section in Line 1 of PreRequisite
0.125:  SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5 is Present
0.125: SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5\SP is Greater or Equal To Specified Value
0.125: Condition succeeded for section Prereq.CheckCLR.Section in Line 2 of PreRequisite
0.125:  C:\WINDOWS\system32\netlogon.dll is Present
0.125: FileVersion of C:\WINDOWS\system32\netlogon.dll is Greater or Equal To 5.2.3790.4482
0.125: Condition succeeded for section Prereq.CheckDCLocatorQFEInstalled.Section in Line 3 of PreRequisite
0.125:  C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Present
0.125: FileVersion of C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Less Than 3.5.30729.4126
0.125: Second Condition in Prereq.CheckSDSAMQFEInstalled.Section Failed
0.125: Condition Check for Line 4 of PreRequisite returned FALSE
0.125: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
0.125: KB968934 Setup encountered an error:  Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:\windows\KB968934.log
0.141: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
0.141: Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:\windows\KB968934.log

Modify Custom AD Attribute Syntax?

December 18, 2014, 1:38 pm
$
0
0

I was creating custom attributes for an application and set the syntax wrong. Can I really not remove or fix it? The internet is not  making me very hopeful...

Thanks!

Search

AD Site renamed and DFS error (dfsdiag) regarding wrong static site association

December 1, 2014, 1:39 am
$
0
0

Community

I am running DFS-N and been facing a few issues over the past few weeks. Occasionally unable to access DFS share, my Home share mapping disappearing on the client, etc. Most of the times it works fine, but ideally I would like to get to the bottom of this.

So I ran "dfsdiag /testreferral /dfspath:\\root\homeshare /full" and it gave me the following error

Success: The site associated with the following host name is consistent on all accessible domain controllers: DC-02
Validating the static site association by accessing the registry.
Error: The static site-association of the following host name is not consistent with the site-association in Active Directory Domain Services (AD DS): DC-02
Finished TestSites.

A while ago I renamed the AD Site where this particular DC is located. As this was done more or less at the same time as I did the DFS-N implementation, I don't know whether this site rename is the cause of my problems.

The error is referring to registry. Does anyone know where in registry this information is stored and whether this error could cause issues I mentioned above?

Some help would be greatly appreciated.

Regards,

Thomas

AD FS auto certificate rollover

December 11, 2014, 3:32 am
$
0
0

Hi,

Can someone please confirm the functionality of auto certificate rollover?  We're having an issue where new AD FS certificate has been issued automatically, but the rollover was done manually by setting the new certificate to primary.

The issue is that CRM 2011 did not pick up new AD FS certificate.  I'm not looking for the resolution as there are many out there.  I'm looking for confirmation that if auto certificate rollover was enabled new certificate would have been pushed to CRM and updated automatically.  I know that updating relying party metadata for CRM is probably done manually, as well as resetting AD FS service.

Please can someone shed some light on this?

Thanks.

Windows Server 2008 R2 DNS Entry Auto remove not working

December 21, 2014, 10:27 pm
$
0
0

Dear All,

I have configured DNS Ageing for 30 days removal of unwanted host entry.but it will not work.

Active directory DNS having all unwanted host in forward lookup zone and as well as reverse lookup zone.

how to solve this ?

pls help

Sunil

SUNIL PATEL SYSTEM ADMINISTRATOR

Any way to filter a large list of Sites in Active Directory Topology Diagrammer?

April 18, 2014, 6:05 pm
$
0
0

Hello,

We have about 150 sites in our AD implementation.  I'd like to use Active Directory Topology Diagrammer to just draw a subset, or filter, of all sites.  Can this be done?  If not, anyone know of another way to do this or another product/utility to do this?

Thanks for your help! SdeDot

AD ID Account lockout with caller computer name blank.

December 22, 2014, 4:13 am
$
0
0

I am facing issue with few users as their AD ID is getting locked frequently.

Observation:

During account lockout, security event ID 4740 is getting generated on the domain controller. 

In Additional Information the "Caller computer name" is blank.

Based on various technet & other blogs caried out troubleshooting with below tools.

* lockoutstatus,

* ALockout.dll

*Psexec.exe

*cmdkey.exe

*Aloinfo.exe

*FindStr.exe

*Netwrix.exe

*ADLockouts.exe

*NlParse.exe

The only identified hostnames with few of the tools are users own hostname, hostname of DC & RADIUS server. But still no saved of any specious program or service found on the system or servers.

Does anyone have idea regarding this issue.

Pls find below snap for the same.

- Sumit Duduskar.

External Domain Trust - Need help ASAP!!!

December 19, 2014, 6:49 am
$
0
0

Hi everyone, I am having trouble with the domain trusts between our domain and an external domain. When I delete the trust and re-add it, sometimes it will validate and sometimes it won't. Here is the error that I get when I try to validate it.

The secure channel (SC) reset on Active Directory Domain Controller \\DC.internal.corp of domain internal.corp to domain external.local failed with error: There are currently no logon servers available to service the logon request.

The secure channel (SC) verification on Active Directory Domain Controller \\DC1.External.local of domain External.local to domain internal.corp failed with error: The specified network password is not correct.

The secure channel (SC) reset on Active Directory Domain Controller \\DC1.External.local of domain External.local to domain internal.corp failed with error: Access is denied.

When I select Yes to reset the password, and I put in my creds, it says the "Parameter is incorrect"

I am an enterprise admin on both domains. I can not figure out what is going on with this. Can anyone help?

Thanks!!

SBS 2003 Migration to 2012 R2 Standard

December 22, 2014, 9:04 am
$
0
0

Hello, I'm sure this has been asked before but I'm not finding the details that I think I need before I proceed with my migration.

Question 1) I've built the 2012 server and I'm logged on as the administrator do I start by adding this server to the current domain? or do I just follow the articles I've seen that talk about Add the Active Directory and DNS Roles on this server.  

Question 2) If that's correct can I start the data/shares migration effort once that's done and what is the best tool to do that with? We've got a handful of shares and approx 700gb's of data.  I've done some reading on RoboCopy and some other method's but I'm not sure which is the best way to go.. 

Question 3) Lastly when the data migration is done do I then decommission the old server and change the IP and Computer name on the new 2012 box so all of the workstations see it as if they were still connecting to the old one?

Thanks for your help...Scott

Search

Tools to scan for Domain admin password -

December 22, 2014, 7:20 am
$
0
0

Hello,

I have been tasked to change the domain administrator password. Before I proceed, I would like to know if their are GUI tools or known scripts provided by Microsoft or 3rd party that would allow me to scan my domain, an OU, for services or anyone trying to login with the domain administrator password. 

Thanks!

JOe

Too many automatic connection created by KCC

December 22, 2014, 7:15 am
$
0
0

hello All,

I am facing an issue where one domain controllers is automatic created connection to all domain controller (almost all domain controller in forest). I have already forced replication repadmin / syncall /ApePq also deleted false connections but it is not helping me. please help

regards

Diwakar

Security-Kerberos Event ID 4 KRB_AP_ERR_MODIFIED for DC, target name cifs/domain

December 22, 2014, 10:49 am
$
0
0

I've been finding this event in logs on computers in my domain recently.  I've seen it on a variety of servers and workstations, so I think it's probably affecting all domain members.  The specific domain controller mentioned in the text of the event varies, it could be any one of our domain controllers.  I'm not sure when it started.  I've been trying to search for a solution, but so far I'm not finding anything that quite fits.  

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          12/22/2014 10:21:55 AM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      HOST.DOMAIN.COM
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DOMAINCONTROLLER$. The target name used was cifs/DOMAIN.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

How can I track down the cause of this issue?


AD LDS and outlook

December 21, 2014, 11:01 pm
$
0
0
Hello.

Need help! I have problems with setting up ldap-server on AD LDS.

My company have a lot of forests with trust relationship. Need a common address book for e-mail, which was going to be information about users from all forests. Decided to use for this AD LDS. I create instance of the service, synchronize it with all domains (download only users and only certain attributes - name, phone number, email address). Through editor ADSI, ldp.exe and other server utilitys I can easily connect to the database, I see it all data and users. Dcdiag also returns that everything is OK.


The problem starts when I try to connect this ldap-server as address book in Outlook and other email clients. An Outlook on any search query produces that "the required data was not found." When i try to connect via Thunderbird a to find enything in book, system ask a password to access the ldap-server, but password is not accept. The user through whom I try to be connected, is available in all bases - in domain (AD) and inside AD LDS base. I tried to change passwords in all bases.

Settings in email clients:

server adress: book.mydomain.net (the name of the server on which raised instance AD LDS)

port: 389

Search Base (BaseDN): dc = book, dc = corp (the root directory of the instance AD LDS)

Username: mydomain \ UserX (a user who has both a domain and within the ldap)

Tried different types of authentication, Outlook connects only with Secure Password Authentication (SPA)


Where there can be a problem?


Enabling LDAPS on ALL Domain controllers in a forest

December 17, 2014, 11:54 am
$
0
0

We have two Domain Controllers, in a single domain setup. Both are running 2008R2. I have bought a SSL certificate from a 3rd party CA, and installed it on the DC which is running all FSMO roles, as per these instructions

https://support.microsoft.com/kb/321051?wa=wsignin1.0Public

And I am able to make SSL connections to this DC, in LDP.exe
Then I exported the certificate from the Server1s personal store as a pfx file, and imported it into the NTDS/Personal store.
I can still make SSL connection to Server1, but I can not make SSL connection to Server2. I have tried to check in Server2's NTDS/personal store, but I can not find the SSL certificate there. Only on Server1's NTDS/personal store.

According to this
http://technet.microsoft.com/en-us/library/dd941846%28v=ws.10%29.aspx

I should be able to make SSL connections to all domain controllers in the forest.
Am I not doing this correctly?


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>