Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Active Directory Certificate Services - Server Automatically Stopping / Disabling the Service

September 16, 2010, 3:36 am
$
0
0
Been experiencing this problem with our Enterprise Root CA.

The services Active Directory Certificate Service is stopping on its own and setting as disabled.

I have changed the service to automatic, and started it, however within a short period of time they are back to disabled / stopped.

The OS and CA were only installed 2 weeks ago.

 

Specs as follows - Virtual Server (Hyper-V) with 1 2.66Ghz Cores and 2Gb RAM allocated.

Running only the Remote Desktop Services Licensing and Connection Broker role services.

Many thanks,

Simon Roberts

Search

how to remove lingering object which is showing when running repadmin /showvector /latency partition-dn

December 31, 2014, 9:46 pm
$
0
0

how to remove lingering object which is showing when running repadmin /showvector /latency partition-dn

It is showing like this:-

d7bd3e6d-69a6-412f-9e26-fa46d7f98215
cc88a0a5-53e1-4b76-9312-c5791d3a3629
35fdfcdf-25f8-43a8-b8e3-cb1abcca270e
c3825962-a9db-403a-9588-29bdb8391be9
66bb24b8-63d2-46a0-ac75-32aee18d3664
bb51577f-1ab4-49b5-87b0-332783e6e04f
23296bbf-02f3-4a1c-8e2b-aef4ffdae031
0bfae2c2-c31f-4b2d-8903-5220d2069f0e
0c69bbb1-efb2-458c-bfdb-f694baa60480
99ca13c0-e3d4-4159-935c-c49bad9713ad
d75ac7d7-11b2-4b5c-9ad6-82fa688d9c93
c82d94ee-b19b-40c6-b856-4e4c767933e1
9efb91f0-bd1a-4e08-b2dd-41cf622056f8
ba7b0dcf-6024-41f6-b1fc-12941d72581d
3b295c26-59e7-4194-8e84-329813e68e80
6e71abc7-2a5e-41ba-8fb6-ca864412ae12
9c8fbdc7-6204-40a3-a1ec-6748c4ee6920
bbc9d4ae-ca4e-4ce3-bacb-2a5c82a6b10e
0e5616b8-286c-446c-b267-40bcb41313f8
4eebf0de-9299-44e0-ab1c-412d14f4678f
81f2388c-dfda-4958-afc0-752e4232c974
9b444e42-85c3-44ec-a8fb-6fe76e9ec494
a01ce3ac-b474-4eb8-a0a1-03a011defd9c
c34d1fec-000d-4b84-b6a4-f0df67a2355a


An attempt to resolve the DNS name of a domain controller in the domain being joined has failed.

December 31, 2014, 9:25 pm
$
0
0

The following error occurred attempting to join the domain "GUTS"

An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS server can resolve DNS names in the target domain.

I am running Windows Server 2008 trying to connect with a Windows 7 Ultimate computer.

I have already sset the DNS in my computer to the Server running DNS Server (same as DC server)

I can ping the server domain name and IP.

Can someone help me and tell me what I am doing wrong

Microsoft Windows [Version 6.0.6002]
Copyright <c> 2006 Microsoft Corporation. All rights reserved.

D:\Users\Administrator>ipconfig /all

Windows IP Configuration

Host Name ...........: Office-PC
Primary Dns Suffix .......: it.guts.org
Node Type ............: Hybrid
IP Routing Enabled .........: No
WINS Proxy Enabled .........: No
DNS Suffix Search List ......: it.guts.org hsd1.wa.comcast.net.guts.org

Wireless LAN Adapter Wireless Network Connection:
 Connection-specific DNS Suffix .: hsd1.wa.comcast.net
 Description ...........: D-Link DWA-125 Wireless N 150 USB Adapter (rev.A2)
 Physical Address ......: 1C-BD-B9-32-B8-86
 DHCP Enabled ..........: Yes
 Autoconfiguration Enabled ....: Yes
 IPv4 Address ...........: 192.168.0.194(preferred)
 Subnet Mask ............: 255.255.255.0
 Default Gateway ..........: 192.168.0.1
 DHCP Server ..............: 192.168.0.1
 DNS Server ...........: 192.168.0.1
 NetBIOS over Tcpic .........: Enabled

Ethernet adapter Local Area Connection:
 Media State..............: Media disconnected
 Connection-specific DNS Suffix .:
 Description .................: SiS 900-Based PCI Fast Ethernet Adapter
 Physical Address ............: 00-11-5B-4A-98-43
 DHCP Enabled ................: Yes
 Autoconfiguration Enabled ....: Yes

Tunnel adapter Local Area Connection *8:
Media State..............: Media disconnected
 Connection-specific DNS Suffix .:
 Description .................: isatap.{4FA1F217-5A33-4F73-9997-8A0C643AB5FD}
 Physical Address ............: 00-00-00-00-00-E0
 DHCP Enabled ................: No
 Autoconfiguration Enabled ....: Yes

Tunnel adapter Local Area Connection *11:
Media State..............: Media disconnected
 Connection-specific DNS Suffix .:
 Description .................: Teredo Tuneling Pseudo-Interface
 Physical Address ............: 02-00-54-55-4E-01
 DHCP Enabled ................: No
 Autoconfiguration Enabled ....: Yes

Tunnel adapter Local Area Connection *12:
Media State..............: Media disconnected
 Connection-specific DNS Suffix .: hsd1.wa.comcast.net
 Description .................: isatap.hsd1.wa.comcast.net
 Physical Address ............: 00-00-00-00-00-00-00-E0
 DHCP Enabled ................: No
 Autoconfiguration Enabled ....: Yes

D:Users\Administrator>ping guts.org
Pinging guts.org [216.33.93.211] with 32 bytes of data:
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245

Ping statistics for 216.33.93.211:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
     Minimum = 71ms, Maximum = 355ms, Average 168ms

D:Users\Administrator>ping 216.33.93.211
Ping statistics for 216.33.93.211:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
     Minimum = 70ms, Maximum = 75ms, Average 72ms

D:Users\Administrator>nslookup
DNS request timed out.
    timedout was 2 seconds.
Default Server: Unknown
Address: 192.168.0.1

Account locking and ForestDNSZones.xxx.local: No_Client_Site Error

December 31, 2014, 12:09 pm
$
0
0

Hi,

I have a new customer who is having some issues. The company has several remote users, but one of them seems to lock up several times per day. In looking at the Netlogon.log all of the users in the company are getting the NO_CLIENT_SITE error in their connections but are not having trouble connecting. This is the common user connection log file:

12/30 12:49:23 xxx: NO_CLIENT_SITE: UserID xxx.xx.x.xxx

The user who locks up several times per day has both the common user logs but several times each day gets the following:

12/30 12:58:28 ForestDnsZones.xxx.local: NO_CLIENT_SITE: UserID xxx.xx.x.xxx
12/30 12:58:29 DomainDnsZones.xxx.local: NO_CLIENT_SITE: UserID xxx.xx.x.xxx

12/30 12:58:29 xxx: NO_CLIENT_SITE: UserID xxx.xx.x.xxx 

Between 9:34 when his account was unlocked and 12:48 when it was unlocked again, he had 30 normal connection requests and 6 of the abnormal connection requests. I've not yet found anything on this particular error. Would love any insight from the group. 

Both of his PC's are Win7 and the server is 2008r2. 

Thank you!

Quinton

Event 4740 Not Logged for a Single Account Lockout

December 31, 2014, 5:30 pm
$
0
0

Domain Functional Level: 2003

PDC Emulator: 2008 R2

Lockout Origin DC (also the RADIUS server): 2003 R2

For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the Event 4740.  This usually tells me that our Cisco WLAN Controller caused the lockout.

Our Default Domain Policy is set to audit Account Logon Events for failure, Account Management for success/failure, and Logon Events for success/failure (plus numerous other things).

This time there is no Event 4740 for this account lockout and I can't figure out why.  The events are there for other lockouts several minutes before or after this one.  Windows just hates me so it decided to skip this one.  The main reason this is a problem is because I just set up Scheduled Task on the PDC Emulator, triggered by Event 4740, to run a PowerShell script that will provide the help desk with a report for each account lockout, even parsing the IIS logs on the Client Access Server to identify which ActiveSync device caused it.  Of course the week after I announce that, Windows decides not to log one.

Using LockoutStatus.exe I determined that the Origin DC for the lockout was the RADIUS server.

NetLogon debug logging is enabled on the RADIUS server, however I took a nap today after being let out of work early for the holiday so by the time I checked the netlogon.bak file it had already been overwritten with newer data.

There was, however, an Event 644 locked on the RADIUS server (pasted below with domain/computer/user details edited for privacy).  I don't even know where to start as far as trying to prevent this from happening again.  Anyone have any suggestions? Within the next couple months I will spin up a 2012 RADIUS server and a separate 2008 R2 DC to replace the 2003 multipurpose server, but it's not high on my boss's priority list so it's a tough sell considering the WLAN is functional right now.

      

Event Type:Success Audit
Event Source:Security
Event Category:Account Management 
Event ID:644
Date:12/31/2014
Time:10:00:35 AM
User:NT AUTHORITY\SYSTEM
Computer:DomainControllerAndRadiusServer
Description:
User Account Locked Out:
Target Account Name:LockedOutUser
Target Account ID:DOMAIN\LockedOutUser
Caller Machine Name:CISCO
Caller User Name:DomainControllerAndRadiusServer$
Caller Domain:DOMAIN
Caller Logon ID:(0x0,0x3E7)


For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the Event 4740.  This usually tells me that our Cisco WLAN Controller caused the lockout.
For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the Event 4740.  This usually tells me that our Cisco WLAN Controller caused the lockout.
For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the Event 4740.  This usually tells me that our Cisco WLAN Controller caused the lockout.

Group Permission Windows Server 2008 r2

January 1, 2015, 2:17 am
$
0
0

  Hello every body ...

  PLz Help Me .

  I want To create the Group That its members can remote as a limited user to one member server and disconnect automatically     at   14:00 pm from this Server . (withActive Directory on Windows Server 2008 r2)

 how to do this job ?

Script to archive File Server Data

December 30, 2014, 6:22 pm
$
0
0

Hi All,

  I'm looking for a script to remove the file server data by keeping last 2 years?

As

 

The trust relationship between this workstation and the primary domain failed

January 1, 2015, 4:05 am
$
0
0
Hi ,

We are facing a strange(atleast for me) issue with two of our server's running 2008 R2. When we try to login as domain administrator we get this error.

"The trust relationship between this workstation and the primary domain failed"

To fix this we reset the computer account using this cmd NETDOM RESETPWD /Server:<name of any domain controller> /UserD:<domain admin account> /PasswordD:<password> and after a restart it works fine.

But after an random time the users cannot logon anymore and the same error reoccurs.
To our suprise sometimes it becomes normal again automatically.

To add more there are two other serves running 2008 on this same domain working fine. (total there are only four servers added to this domain)
Our domain controller is 2008 R2

Any solution ?


Thanks and Regards
Perumal Raj J
Search

Raising AD Functional level - 2003 to 2012

December 22, 2014, 7:54 pm
$
0
0

My Organization's current AD scenario is as below

Single Domain, Single Forest - Five - 2012 DCs and One 2008 R2 DC. Domain Functional Level(DFL) & Forest Functional (Level FFL) is presently Win 2003.

My question is :

1. After demoting Windows 2008R2 DC, Can I directly raise the functional level to 2012 ?. At present 2012 functional level option is not coming. Upto 2008 R2 option is available.

2. If possible - Which one to raise first- DFL or FFL?

3. Any time interval need to be given between raising DFL and FFL?


Merging Domains

December 30, 2014, 5:41 am
$
0
0

I have several of emails I use the same User ID but different domain. ex live.com and Outlook.com but these email addresses are used for different things and I have noticed that now these domains are being merged but, I want to keep them separate.

e.x. tonytony@live.com and tonytony@Outlook.com

now I am getting emails from both domains in one, and it has also become an issue to reset the passwords.

I would like to keep the emails separately. Thank you.

 

AD CS Certificate WebEnrollment in Failover Cluster Environment - W2K8 R2

December 23, 2014, 6:30 am
$
0
0

Hello,

I have my PKI in FO Cluster and everything works well except of Web Enrollment,

when I'm opening my webbrowser and typing https://cahostname/certsrv - webpage is opening but when I want to request any certificate then I receive an error - no certificate templates are available or you don't have rights to request - something like that.

I've read somewhere that certdat.inc under c$\Windows\System32\CertSrv must be modified, 

I've tried many possibilities, even if certutil -ping is working, I'm still receiving that error. Ofc IIS server s restarted everytime after I change the file.

Any ideas or advices are appreciated.

Service fails to start, error 1297 and 7000

March 6, 2013, 9:05 pm
$
0
0

I have a lab configured with a single domain controller and one client server.  Both servers are Windows Server 2008 R2 Standard and the functional level of the domain is Windows Server 2008 R2.  After I promoted the domain controller, I did not make any changes to the default domain policy GPO.  My problem is this:  I created a Managed Service Account and a regular user account and tried to use both of these accounts as logon accounts for the "Disk Defragmenter" service on my client server and domain controller.  Each time it failed with the following error:

In the system event log:

I also tried moving the client server into a custom OU and blocked inheritance of all parent GPOs, but this did not work either...same error.

I'm assuming the problem lies with the Default Domain group policy and Default Domain Controllers group policy, I'm just not sure which setting.  I'm at a complete loss, so any help is greatly appreciated.

jason


UPDATE:  after further testing, I am receiving the same errors even when the server is not joined to a domain.  After a fresh install of Windows Server 2008 R2, I created a local user and used that account as the logon account for several services. When I started the services, I received the same error.

Restoring a Domain Controller - When other DC's are available

December 26, 2014, 11:29 am
$
0
0

I'm trying to get some clarity and confidence on the proper way to restore domain controllers.  here are my questions:

1. What is the proper way to restore a Domain controller into an existing Forrest where other domain controllers are present when you have a system state backup taken by Windows Server Backup?

1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?

2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?  

2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?


Install Server 2008 DC alongside 2012 DC

January 2, 2015, 7:07 pm
$
0
0
I have a test environment going on and it has Server 2012 DC(Name it 'A') installed. As test, I want to install Server 2008 DC alongside this 'A' server and replicate all data from 'A' server to Server 2008 DC and decommission the 'A' server . And then I want to migrate from Server 2008 DC to a new Server 2012 DC. Is this possible? If it is, please let me know the approach to this project. Thanks.  

Remove 2nd DC record on AD and file Services

December 30, 2014, 12:45 am
$
0
0

We have a Server 2008 R2 Standard SP1 (HP_Service_A) whch is running main DC in the network. And had another Server 2008 DC (HP_Server_B) before but this server was crashed suddenly. Then I reinstalled this Server as member server. Couldn't promote it to DC or do windows update else it can't be boot into Windows due to unknown hardware problem.


Now I find the following event log on main DC  (HP_Service_A) which is still tried to contact 2nd DC (HP_Server_B) as before.

AD domain Services
Source: ActiveDirectory_DomainService
Error   event ID:1864
Warning event ID:2089
Warning event ID:2092
Error   event ID:2087

File Service
Source: Ntfrs
Warning event ID: 13508

Now we have one DC  (HP_Service_A) and 2nd DC  (HP_Server_B) doesn't exist now . How and where can I remove old DC record?

Thanks.



Search

delagate helpdesk user to move computers to other OU's

December 30, 2014, 12:30 pm
$
0
0

Hi,

I need to delegate my helpdesk user the have the ability to move a computer from one OU to the other. How can I do that?

thanks

Wave~Chaser

ADGMS error. Need KB969166 and cannot download it from Microsoft's site

January 2, 2015, 5:54 am
$
0
0

Basically I have several 2008 R2 servers that I need  that have the issue referenced in this article when attempting to install ADGMS: http://portal.sivarajan.com/2011/03/active-directory-management-gateway.html

I need to download KB969166 from http://support.microsoft.com/kb/969166 in order to resolve it but when I go to the link in it tells me to (https://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=20556) I get page not found error: The content that you requested cannot be found or you do not have permission to view it. 

I need both the x86 and x64 versions of this KB. Can anyone help me get this KB?

0x800700ea when Configuring Certificate Enrollment Web Service

December 12, 2014, 2:05 pm
$
0
0

We installed a CA on a member server running Server 2012 R2. The server is already running a website. It is not the default site, but its own.

We are trying to install the Web Enrollment Service. When we get to the configuring wizard it crashed with error0x800700ea More_Data_Available

In event viewer Event ID 103 Micosoft.CertificateServices.Deployment.Common.CES.EnrollmentServiceSetupException:(Win32/HTTP: 234 Error_More_Data)

We are installing with an enterprise admin account. UAC is off, but we still "Ran As Administrator". We uninstalled/reinstalled the role several times.

Any ideas? My feeling is some conflict with the other IIS website, but can't be sure.


Version number for GPO's not in sync with the version number for GPO's on the Baseline domain controller

January 3, 2015, 1:05 am
$
0
0

Hi

I accidentally removed one of our domain controller's hyper-v image (DC-02) from the hyper-v manager and to bring it back online launched a new virtual machine using the same virtual hard drive. This brought back the domain controller machine and I set the original IP address to the same assuming that everything would just working fine.

Sadly, that wasn't the case as when I tried to open the group policy manager on that machine I started getting "Access is denied" error. I was then presented with an option to open the group policy manager with the first available DC which I did and was able to open it with showing the same machine as the baseline domain controller under the status tab (DC-01 is actually the baseline DC). I then clicked Detect now and noticed it was showing 1 DC under replication in progress with problems in GPO version. I then did the same thing on the primary DC (DC-01) and even there it was showing this only (images attached).

So I started exploring over the internet going through various articles but couldn't find a solution which I could apply without worrying about corrupting something somewhere. I also went to the SYSVOL folder on both the DC's to check the version number in GPT.ini files which are mentioned below:

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5439513

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5308439

Could anyone please help me sort this out? I am no system admin and whatever knowledge I have of setting up DC, AD etc is from following one article or the other over the internet.

Regards

Sajat Jain


NetBIOS Rename, Restriction and UPN Suffix

January 2, 2015, 7:50 am
$
0
0

Hello All....................Is it possible to do the following:

1.  Renaming NetBIOS name of the Active Directory Domain Services?

2.  Restricting users to not login using NetBIOS Name (DOMAIN\UserName)?

3.  Allowing users login only through UPN Suffix and Password (username@domain.com and password)?

Thanks in advance.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>