Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD DS Tree trust two-way really two-way?

January 7, 2015, 5:11 am
$
0
0

Hi guys,

I am working in my lab environment to get an understanding of a tree trust. I have set up a DC in my test domain 'train.lab' and created a tree trust with 'contoso.lab'. Since train.lab is the first domain I created, it's also the name of the forest.

I am able to work with (manage ADUC, Sites&Services, Domains&trusts, etc.) both the domains from the domain controller in contoso.lab. However, it does not work from train.lab.

Status so far:

- All firewalls are disabled
- Just a lab, 2 DC's in a single subnet hosting either of the domains < dodgy but resolution is working properly
- On both DC's I can open ADUC, click 'change domain' and hit browse and see both of the domains in the forest
- I can ping and nslookup each domain from each DC
- I tried setting up a stub zone for contoso.lab on the train.lab DC, but this zone transfer fails from the master. DNS for contoso.lab is running properly

The logic in this exhibit seems a bit off to me, I mean the first domain in the forest should be the 'main' domain and the tree is considered a 'child'-level domain. No explicit or conditional DNS zones have been configured and to me it should be possible to manage the contoso.lab domain from the train.lab domain.

Could anyone shed some light on this?

Cheers!

Jeroen

Check out my blog http://www.gosc.nl


Search

Best Practices Granting Permissions Across Forest Trusts for Administrator

January 7, 2015, 3:50 pm
$
0
0
We're beginning to work on moving from a Windows 2008 R2 Domain to a brand spanking new Windows 2012 R2 domain.  We've created a 2-way forest trust between both domains. We want our Domain/Enterprise Admins to have the same access to the new 2012 R2 domain. What's the best practice in granting access to another forest just for Admins? Should we put the Domain/Enterprise Admins in the 2008 domain into the same groups on the 2012 R2 Domain?

Orange County District Attorney

Create self signed SSL to work for ADFS federated with Office365 for lab test

January 8, 2015, 2:01 am
$
0
0

I want to create a SSL for lab test. could anyone provide the detailed steps to do that? I'm using Sever 2012 R2

Thanks,

Patrick

Prevent Same User Login to Multiple Computers Simultaneously in Domain environment

January 8, 2015, 2:18 am
$
0
0

Is there any way (currently running 2012 Servers) that we can prevent users from logging into multiple domain computers simultaneously with the same username?

We still want them to log into those computers, just not simultaneously?

LimitLogin utility not work in Windows 2012 server.

Thanks.

Babu

Custom DNS Application Partition

January 8, 2015, 2:59 am
$
0
0

Hello,
I'm writing to ask for a semantic question (not technical) regarding custom DNS Application Partition.

I explain better with example below.

I have one Forest with one Domain Root (domain.local) with four DCs located inside three sites: one inNew York, another in Rome and the other two in Milan (headquarters):

  • dc1.domain.local, dc2.domain.local - Milan (headquarters)
  • dc3.domain.local - New York
  • dc4.domain.local - Rome

They are all connected through WAN private connection (MPLS technology). Each site has its own Internet connection (provided by local ISP).

I have split-brain DNS domain.com zone (Active Directory Integrated) configured to replicate its content to "All DNS servers in this domain" (in this example having this choice or "All DNS servers in this forest" is the same thing). All records defined inside split-brain zone are pointing to LAN IP addresses (obviously, there is also the publicdomain.com zone with records pointing to public IP addresses).

Objective

The objective is to have internal domain.com zone replicated to dc1 and dc2 only. dc3 and dc4 should resolve all domain.com queries by using public zone; in this way all requests (DNS and browsing - e.g.www.domain.com) will pass through Internet (local ISP connection) instead of WAN (free up bandwidth).

Solution

Solution I found is to create custom DNS Application Partition and add DCs on which the replica will be created (link: How to configure the replication scope of a custom application directory partition in Active Directory).

...or do you suggest to don't use Active Directory Integrated and use Zone Transfer ? What is your suggestion ?

Thank you very much,
Luca 

Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

Active Directory Web Services service terminated unexpectedly

January 6, 2015, 3:31 pm
$
0
0

Hi everyone:

I'm having a problem with the Active Directory Web Services service does not start. Attach the event ID:

Log System:

Log Name:      System
Source:        Service Control Manager
Date:          1/6/2015 6:55:19 PM
Event ID:      7034
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxx.dominio.com
Description:
The Active Directory Web Services service terminated unexpectedly.  It has done this 35 time(s).
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /><EventID Qualifiers="49152">7034</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime="2015-01-06T22:55:19.292471600Z" /><EventRecordID>32583</EventRecordID><Correlation /><Execution ProcessID="556" ThreadID="1388" /><Channel>System</Channel><Computer>xxx.dominio.com</Computer><Security /></System><EventData><Data Name="param1">Active Directory Web Services</Data><Data Name="param2">35</Data><Binary>41004400570053000000</Binary></EventData></Event>

Log Application:

Log Name:      Application
Source:        .NET Runtime
Date:          1/6/2015 6:55:13 PM
Event ID:      1026
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxx.dominio.com
Description:
Application: Microsoft.ActiveDirectory.WebServices.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ServiceModel.CommunicationObjectFaultedException
Stack:
   at System.ServiceModel.Channels.CommunicationObject.Close(System.TimeSpan)
   at Microsoft.ActiveDirectory.WebServices.WindowsHostService.StartService(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart(System.Object)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name=".NET Runtime" /><EventID Qualifiers="0">1026</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2015-01-06T22:55:13.000000000Z" /><EventRecordID>1661713</EventRecordID><Channel>Application</Channel><Computer>xxx.dominio.com</Computer><Security /></System><EventData><Data>Application: Microsoft.ActiveDirectory.WebServices.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ServiceModel.CommunicationObjectFaultedException
Stack:
   at System.ServiceModel.Channels.CommunicationObject.Close(System.TimeSpan)
   at Microsoft.ActiveDirectory.WebServices.WindowsHostService.StartService(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart(System.Object)</Data></EventData></Event>

And

Log Name:      Application
Source:        Application Error
Date:          1/6/2015 6:55:13 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxx.dominio.com
Description:
Faulting application name: Microsoft.ActiveDirectory.WebServices.exe, version: 6.2.9200.16579, time stamp: 0x516356a2
Faulting module name: KERNELBASE.dll, version: 6.2.9200.16864, time stamp: 0x531d34d8
Exception code: 0xe0434352
Fault offset: 0x0000000000047b8c
Faulting process id: 0x4ac
Faulting application start time: 0x01d02a03d45e2d00
Faulting application path: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 1273a0f1-95f7-11e4-93f7-3440b59e2092
Faulting package full name:
Faulting package-relative application ID:
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Application Error" /><EventID Qualifiers="0">1000</EventID><Level>2</Level><Task>100</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2015-01-06T22:55:13.000000000Z" /><EventRecordID>1661714</EventRecordID><Channel>Application</Channel><Computer>xxx.dominio.com</Computer><Security /></System><EventData><Data>Microsoft.ActiveDirectory.WebServices.exe</Data><Data>6.2.9200.16579</Data><Data>516356a2</Data><Data>KERNELBASE.dll</Data><Data>6.2.9200.16864</Data><Data>531d34d8</Data><Data>e0434352</Data><Data>0000000000047b8c</Data><Data>4ac</Data><Data>01d02a03d45e2d00</Data><Data>C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe</Data><Data>C:\Windows\system32\KERNELBASE.dll</Data><Data>1273a0f1-95f7-11e4-93f7-3440b59e2092</Data><Data></Data><Data></Data></EventData></Event>

I was working about this solution but nothing. "http://blogs.microsoft.co.il/yuval14/2012/06/08/how-to-resolve-error-message-the-active-directory-web-services-service-terminated-unexpectedly-event-id-4079-andor-7034/".

I changed the Microsoft.ActiveDirectory.WebServices.exe.config file, add two line " <add key=”DebugLevel” value=”Info” />
<add key=”DebugLogFile” value=”c:windowsdebugadws.log” />", Attach the log

ADWS Log - AppDomain Microsoft.ActiveDirectory.WebServices.exe with ID 1 - 01/06/2015 17:51:37 ((UTC-04:00) Georgetown, La Paz, Manaus, San Juan)
OS Version Microsoft Windows NT 6.2.9200.0 - CLR Version 4.0.30319.18449
ADWS: [1/6/2015 5:51:37 PM] [1] Main: entered
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: trying to remove priviledge SeBackupPrivilege
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: unable to remove SeBackupPrivilege priviledge because it was absent
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: trying to remove priviledge SeRestorePrivilege
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: unable to remove SeRestorePrivilege priviledge because it was absent
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: trying to remove priviledge SeAssignPrimaryTokenPrivilege
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: unable to remove SeAssignPrimaryTokenPrivilege priviledge because it was absent
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: trying to remove priviledge SeIncreaseQuotaPrivilege
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: unable to remove SeIncreaseQuotaPrivilege priviledge because it was absent
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: trying to remove priviledge SeDebugPrivilege
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: unable to remove SeDebugPrivilege priviledge because it was absent
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: trying to remove priviledge SeTcbPrivilege
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: unable to remove SeTcbPrivilege priviledge because it was absent
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: trying to remove priviledge SeShutdownPrivilege
Utils: [1/6/2015 5:51:37 PM] [1] RemovePriviledgeFromProcess: unable to remove SeShutdownPrivilege priviledge because it was absent
Utils: [1/6/2015 5:51:37 PM] [1] RemoveUnnecessaryPriviledges: all present unnecessary priviledges removed successfully
Program: [1/6/2015 5:51:37 PM] [1] Main: Starting Windows service host.
WindowsHostService: [1/6/2015 5:51:37 PM] [1] WindowsHostService constructed
WindowsHostService: [1/6/2015 5:51:37 PM] [4] OnStart: entering.
WindowsHostService: [1/6/2015 5:51:37 PM] [4] OnStart: ServiceStart thread started.
WindowsHostService: [1/6/2015 5:51:37 PM] [6] StartService: entering.
PerfCounters: [1/6/2015 5:51:37 PM] [6] InstallCountersIfNeeded: entered
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersInstalled: entered
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersInstalled: System\CurrentControlSet\Services\ADWS key is present
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersInstalled: System\CurrentControlSet\Services\ADWS\Performance key is present
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersInstalled: First Counter value is present
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersInstalled: perf counters are  installed
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersCurrent: installed perf counter version: 6
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersCurrent: desired perf counter version: 6
PerfCounters: [1/6/2015 5:51:37 PM] [6] AreCountersCurrent: perf counter category ADWS is  current
PerfCounters: [1/6/2015 5:51:37 PM] [6] InstallCountersIfNeeded: counters already installed and current, no work needed
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Create Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Delete Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Get Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Put Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Enumerate Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Pull Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Open Enumeration Contexts' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'GetADGroupMember Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'GetADPrincipalGroupMembership Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'SetPassword Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'ChangePassword Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'GetADPrincipalAuthorizationGroup Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'TranslateName Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'GetADDomainController Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'GetADDomain Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'MoveADOperationMasterRole Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'GetADForest Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'ChangeOptionalFeature Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'GetVersion Operations Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Number of Directory Instances' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Possible Connections' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Allocated Connections' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Reserved Connections' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Non-reserved Connections In Use' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Reserved Connections In Use' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Open Web Service Sessions' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Active Web Service Sessions' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Web Service Sessions Created Per Second' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Custom Action LDAP Cache Maximum Possible Size' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Custom Action LDAP Cache Connection Creation Rate' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Custom Action LDAP Cache Connection Reuse Rate' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Custom Action DS RPC Cache Maximum Possible Size' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Custom Action DS RPC Cache Connection Creation Rate' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Custom Action DS RPC Cache Connection Reuse Rate' performance counter
AdwsPerfCounter: [1/6/2015 5:51:37 PM] [6] AdwsPerfCounter: constructed 'Custom Action Cache Size' performance counter
PerfCounters: [1/6/2015 5:51:37 PM] [6] Initialize: initializing performance counters
PerfCounters: [1/6/2015 5:51:37 PM] [6] Initialize: all performance counters initialized
ADWSHost: [1/6/2015 5:51:37 PM] [6] ADWSHost constructed
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] ProvisionCertificate: using host name for certificate name
Utils: [1/6/2015 5:51:37 PM] [6] GetComputerDnsName: computer name is xxx.dominio.com
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] ProvisionCertificate: using cert name xxx.dominio.com
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] ProvisionCertificate: loaded certificate
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] AddServiceThrottlingBehavior: MaxConcurrentCalls=32, MaxConcurrentSessions=500
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateServiceHost: including UserName endpoints
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateServiceHost: adding endpoints for Windows/
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateServiceHost: adding endpoints for UserName/
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxReceivedMessageSize=1048576, ReceiveTimeout=00:10:00
ADWSHostFactory: [1/6/2015 5:51:37 PM] [6] CreateAdwsTransportWithMessageCredentialBinding: MaxDepth=10, MaxArrayLength=16384, MaxStringContentLength=32768
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] StartConfigurationLoading: entered
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] StartConfigurationLoading: establishing watcher on C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.Config
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: entered
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for InitialPoolConnections, using default value 5
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 10 for MaxPoolConnections
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 50 for MaxPercentageReservedConnections
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for MaxReservedIdleTimeout, using default value 00:02:00
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for MaxReservedTimeout, using default value 00:30:00
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 5 for MaxConnectionsPerUser
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for MaxBindLifetime, using default value 00:15:00
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for MaxServerDownRetry, using default value 10
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for SyntaxCacheEntryLifetime, using default value 01:00:00
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 00:30:00 for MaxEnumContextExpiration
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 00:02:00 for OperationTimeout
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 00:02:00 for MaxPullTimeout
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 5 for MaxEnumCtxsPerSession
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 100 for MaxEnumCtxsTotal
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for CertName, using default value NULL
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for MaxGroupOrMemberEntries, using default value 5000
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for CustomActionConnectionCount, using default value 10
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for CustomActionIdleConnectionTimeout, using default value 00:02:00
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: no value specified for InstanceRediscoveryInterval, using default value 00:01:00
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 32 for MaxConcurrentCalls
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value 500 for MaxConcurrentSessions
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value Info for DebugLevel
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] LoadConfigSettingsFromFile: using loaded value C:\temp\windowsdebugadws.log for DebugLogFile
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] ValidateSettingLimits: entered
ClassManager: [1/6/2015 5:51:37 PM] [6] Start: starting...
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [3] ScavengerThread: thread starting
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [3] Scavenger: waking up at 00:00:40 interval
EnumerationContextCache: [1/6/2015 5:51:37 PM] [6] EnumerationContextCache: using timer inverval 00:00:30
InstanceMap: [1/6/2015 5:51:37 PM] [6] InstanceMap: using timer inverval 00:01:00
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadAll: beginning
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadNTDSInstance: entered
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadNTDSInstance: found NTDS Parameters key
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadNTDSInstance: trying to change state to DC
InstanceMap: [1/6/2015 5:51:37 PM] [6] AddRemoveSessionPoolAndDictionaryEntry: trying to change state for identifier ldap:389
InstanceMap: [1/6/2015 5:51:37 PM] [6] AddSessionPool: adding a session pool for NTDS
DirectoryDataAccessImplementation: [1/6/2015 5:51:37 PM] [6] InitializeInstance: entering, instance=NTDS, init=5, max=10
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [6] InitializeInstance: entering, instance=NTDS, init=5, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 0
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=NTDS
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=NTDS, new count=1, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 1
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=NTDS
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=NTDS, new count=2, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 2
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=NTDS
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=NTDS, new count=3, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 3
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=NTDS
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=NTDS, new count=4, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 4
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=NTDS
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=NTDS, new count=5, max=10
InstanceMap: [1/6/2015 5:51:37 PM] [6] AddRemoveSessionPoolAndDictionaryEntry: state change successful (now hosts identifier ldap:389)
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadGCInstance: entered
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckForGlobalCatalog: entered
DirectoryUtilities: [1/6/2015 5:51:37 PM] [6] GetTimeRemaining: remaining time is 00:02:00
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckForGlobalCatalog: isGlobalCatalogReady: TRUE
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckForGlobalCatalog: NTDS Settings DN: CN=NTDS Settings,CN=XXX,CN=Servers,CN=Alpacoma,CN=Sites,CN=Configuration,DC=dominio,DC=com
DirectoryUtilities: [1/6/2015 5:51:37 PM] [6] GetTimeRemaining: remaining time is 00:02:00
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckForGlobalCatalog: options: 1
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadGCInstance: CheckForGlobalCatalog=True
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadGCInstance: trying to change state to Global Catalog
InstanceMap: [1/6/2015 5:51:37 PM] [6] AddRemoveSessionPoolAndDictionaryEntry: trying to change state for identifier ldap:3268
InstanceMap: [1/6/2015 5:51:37 PM] [6] AddSessionPool: adding a session pool for GC
DirectoryDataAccessImplementation: [1/6/2015 5:51:37 PM] [6] InitializeInstance: entering, instance=GC, init=5, max=10
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [6] InitializeInstance: entering, instance=GC, init=5, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 0
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=GC
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=GC, new count=1, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 1
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=GC
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=GC, new count=2, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 2
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=GC
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=GC, new count=3, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 3
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=GC
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=GC, new count=4, max=10
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ConnectionPool: trying to add connection 4
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: entering, instance=GC
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] ConnectionPoolEntry: connection created
ConnectionPool: [1/6/2015 5:51:37 PM] [6] AddConnectionIfPossible: grew pool, instance=GC, new count=5, max=10
InstanceMap: [1/6/2015 5:51:37 PM] [6] AddRemoveSessionPoolAndDictionaryEntry: state change successful (now hosts identifier ldap:3268)
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadADAMInstances: entered
InstanceMap: [1/6/2015 5:51:37 PM] [6] CheckAndLoadAll: caught unexpected exception System.IO.IOException: No more data is available.

   at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str)
   at Microsoft.Win32.RegistryKey.InternalGetSubKeyNames()
   at Microsoft.ActiveDirectory.WebServices.InstanceMap.DiscoverInstancesFromRegistry(String regRootKey, String regKeyInstancePrefix, Boolean& instanceEncounteredErrorsOnThisRun, List`1 discoveredInstances, DirectoryType directoryType)
   at Microsoft.ActiveDirectory.WebServices.InstanceMap.CheckAndLoadADAMInstances()
   at Microsoft.ActiveDirectory.WebServices.InstanceMap.CheckAndLoadAll()
ADWSHost: [1/6/2015 5:51:37 PM] [6] OnClosed: entered
CustomActionCaches: [1/6/2015 5:51:37 PM] [6] StopCaches: disposing Custom Action connection caches
ClassManager: [1/6/2015 5:51:37 PM] [6] Stop: closing down...
EnumerationContextCache: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
QuotaTracker: [1/6/2015 5:51:37 PM] [6] Clear: clearing all usage
DirectoryActionImplementation: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
DirectoryDataAccessImplementation: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [3] ScavengerThread: woke up
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [3] ScavengerThread: received termination signal, exiting
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [6] Dispose: disposing pool
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing (instance=NTDS)...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ProhibitConnectionAcquisition: entering, instance=NTDS
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [6] Dispose: disposing pool
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing (instance=GC)...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] ProhibitConnectionAcquisition: entering, instance=GC
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
ConnectionPool: [1/6/2015 5:51:37 PM] [6] Dispose: disposing a ConnectionPoolEntry
ConnectionPoolEntry: [1/6/2015 5:51:37 PM] [6] Dispose: disposing...
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [6] Dispose: disposing utility connection NTDS
LdapSessionPoolImplementation: [1/6/2015 5:51:37 PM] [6] Dispose: disposing utility connection GC
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] StopConfigurationLoading: entered
ConfigurationSettings: [1/6/2015 5:51:37 PM] [6] Dispose: disposing
Some Idea, Tks for your help.

migrations


Issues accessing domain share from domain controller

January 8, 2015, 7:34 am
$
0
0

Hi,

About 2 weeks ago, 2 of my domain controllers at one of our facilities has lost access to a domain share. If I try to access the share from the dc's, it prompts for a username/password. Now if I go to my workstation at corp, the share works fine. I can't seem to figure out where the problem is. Any suggestions?

Thanks in advance!

New virtual 2008 DC - Some domain users unable to establish LDAP connection

January 8, 2015, 12:59 pm
$
0
0

Last night, I DCPROMO'd a physical 2008 R2 DC after ensuring the virtual 2008 R2 DC was fully replicated.  Today, select users are unable to sign in to an application that uses LDAP authentication.

On the DC, if I attempt to use LDP with an affect user's credentials, I get the following:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='dj'; Pwd=<unavailable>; domain = 'domain.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 531, v1db1
Error 0x8009030C The logon attempt failed

Any thoughts on what I could be looking for?  The old DC and the new virtual one were both global catalogs only.

Search

Traffic between AD DCs in child domain and AD DCs in other forest

January 8, 2015, 4:57 am
$
0
0

Hello, fellows.

I feel really stupid: cannot find a definitive answer on a very simple question. Let's say, there is on forest (F1) with two domains: forest root (F1-RDOMAIN) and a child domain (F1-CDOMAIN), single tree. There is another forest (F2) with only single domain F2-RDOMAIN. If I setup two-way forest transitive trust between F1 and F2 forests, I know that some firewall ports must be open to allow communication between DCs in F1-RDOMAIN and F2-RDOMAIN. However, what I cannot say for sure whether there will any traffic between F1-CDOMAIN and F2-RDOMAIN! Do I need to open the firewall ports between them as well? Let's assume that DNS servers in F1-CDOMAIN forward requests to DNS servers in F1-RDOMAIN, all domains have GCs.

Could someone refer me to the MS KB or something else that would say: "...all DCs must communicate with each other" or "only DCs in the root forests domains", please?

Many thanks in advance,

Rustam.

5 FSMO Roles only

January 28, 2010, 7:29 pm
$
0
0
Is there any reason for 5 FSMO roles only and not more?

This question was asked to one of my students in an interview. The interviewer further told that there is a reason for 5 roles only which is given by Microsoft...

change password error

December 20, 2013, 4:10 am
$
0
0

When i am changing password using ALT+CTRL+DEL on win8 in domain network . it done on some machines.but some machine showing bellow error: "security database on server does not have a computer account for this workstation trust relationship."

AD Site renamed and DFS error (dfsdiag) regarding wrong static site association

December 1, 2014, 1:39 am
$
0
0

Community

I am running DFS-N and been facing a few issues over the past few weeks. Occasionally unable to access DFS share, my Home share mapping disappearing on the client, etc. Most of the times it works fine, but ideally I would like to get to the bottom of this.

So I ran "dfsdiag /testreferral /dfspath:\\root\homeshare /full" and it gave me the following error

Success: The site associated with the following host name is consistent on all accessible domain controllers: DC-02
Validating the static site association by accessing the registry.
Error: The static site-association of the following host name is not consistent with the site-association in Active Directory Domain Services (AD DS): DC-02
Finished TestSites.

A while ago I renamed the AD Site where this particular DC is located. As this was done more or less at the same time as I did the DFS-N implementation, I don't know whether this site rename is the cause of my problems.

The error is referring to registry. Does anyone know where in registry this information is stored and whether this error could cause issues I mentioned above?

Some help would be greatly appreciated.

Regards,

Thomas

NTDS settings missing

January 8, 2015, 9:19 am
$
0
0

Hello,

I am running windows server 2012 R2. I recently promoted new server to domain controller. Joining process seems to be successful but when I check NTDS settings under " Site and services" it shows empty. i tried to create manually connections but when i hit replication i get "DNS lookup error".

I have no idea how to solve this?

Thanks


Active Directory Domain Services

January 9, 2015, 1:05 am
$
0
0

Hi to all,

Hope you could help me to resolve this issue. This morning when i open our windows server 2008 r2,

i saw this role summary: http://i59.tinypic.com/2wcgn03.png

And then i checked the details here' what i found out:

error log:http://i59.tinypic.com/bjcscz.png

warning log: http://i61.tinypic.com/s5a4cg.jpg

And then i check the summary events:

http://i62.tinypic.com/2n7jo7k.png

But our server is doing fine. This server used for print server, Domain controller and license server.

Some say my active directory is disabled. Then i search to google on how to enable it, all i see is to reconfigure it again from the

start. What should i do to resolve the issue? I am just a newbie in windows server.

Thanks,

Clifford


Kerberos encryption failing

January 7, 2015, 1:57 pm
$
0
0

Hi,

We've got a Windows 2008R2 test environment (1 DC) that we are using to try to integrate secure DDNS updates to an Infoblox DNS server. I'm struggling to get the Kerberos authentication encryption to work. I've created a keytab file using the following command:

"ktpass -princ DNS/<DNS Server FQDN>@<REALM> -mapuser <service account name>@<REALM> -pass <password> -out RC4.keytab -ptype krb5_nt_principal -crypto RC4-HMAC-NT -kvno 3".

I hope to eventually get this to work with AES-256 encryption, but I figured I'd start slow. The client workstation is a Windows 7 box.

When I reboot the workstation to try to get it to re-register its host name in DNS, I get the following error in the WireShark Trace:

"error-code: eRR-ETYPE-NOSUPP (14)"

Needless to say, the update attempt fails.

I've checked the Default Domain Controller GPO and the "Configure encryption types allowed by Kerberos" setting is not defined. Also, I noticed that the GPO indicates that it supports RC4-HMAC-MD5, but the ktpass command only has RC4-HMAC-NT.....which one will actually work? Can anyone point me in the right direction?

Search

GPMC commandlets on Windows server core

December 5, 2014, 3:14 am
$
0
0

On my "Windows server 2008 R2 core" i had installed Active Directory remote managament componentes including "ActiveDirectory" powershell module. Then problem is that "GroupPolicy" module is not installed because GPMC tool is not compliant with core version.

Is there a powershell "GroupPolicy" module stand alone installer without GPMC tool?

Thanks.

LastLogonTimeStamp still getting Updated even if Password is Expired

January 9, 2015, 2:07 am
$
0
0

Hi 

I see an old thread with similar issue, but didn't think that was closed.

I have couple of users with Password already expired like an year ago, but still their LastLogonTimestamp is being updated with recent date/time.

see one of the examples below 

LastLogonTimestamp                                    : 1/7/2015 5:02:01 AM
LastLogon                                             :
PasswordLastSet                                       : 5/21/2013 4:31:32 AM
PasswordAge                                           : 598.10:58:55.9243864
PasswordExpires                                       : 8/19/2013 4:31:32 AM

ADFS Design Help

January 9, 2015, 3:22 am
$
0
0

Hi All,

We need a help in configuring ADFS in our environment for the following requirement

We have a application which will be used by users from intranet as well as internet. The application is in LAN and our Domain Controllers are also in LAN. We want the user to access the application from internet using same AD credentials. We were thinking that if we can Place a ADFS server in DMZ and get the users authenticated against those and inturn ADFS server will communicate to AD and authenticate users.

Is it possible using ADFS and how do we plan and design it.

After using the below filter, the users on the get inactive every time

January 9, 2015, 9:35 am
$
0
0

Hi MS AD team,

I have a customer who is deploying Cisco UC and integrating with AD LDS. As per the client, the synchronization between the UC server and the LDS is not working. They claim that is an LDS issue, so, can you please help me. I have created a case with the Cisco team, and they advised to contact you. please see thread below. Just to clarifiy, if we remove the object class userproxy the ldap filter works and pull out users. Obviously, whithout the proxy user filter is supposed to return all disabled users, but at this point of the deployment the value returned is zero because there are not disabled users.

Cisco agreed that the accounts aren’t syncing because we are not finding users in the ObjectClass=userProxy as expected.   This needs resolved on the LDS / AD.   We also need this to be able to perform bind redirection for authentication which would be the next step once we have users synced from LDAP.  See below from Cisco TAC, I’ve also included some notes about the userProxy object class from my research. 

Per Cisco TAC UC:

Issue :- After using the below filter, the users on the get inactive every time

 

Filter :- (&(objectClass=userProxy)(!(objectClass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

 

Below is the trace Analysis

========

 

LDAP Sync Runs here

=====

2015-01-07 16:30:55,822 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1196) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)[LDAPFullSync] LDAPFullSync

2015-01-07 16:30:55,822 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1207) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)[LDAPFullSync] attrsToReturn - [objectguid, samaccountname, givenname, middlename, sn, manager, department, ipphone, mail, title, homephone, mobile, pager, msrtcsip-primaryuseraddress, userprincipalname]

2015-01-07 16:30:55,822 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1208) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)[LDAPFullSync] SearchBase - dc=uc, dc=com

2015-01-07 16:30:55,822 DEBUG [DirSync-DBInterface] common.DSDBInterface (DSDBInterface.java:1574) - DSDBInterface.executeSQL Execute SQL update - UPDATE DirectoryPluginConfig SET fullSyncStatus=1 WHERE pkid='d516b45e-5da2-c7df-7f76-e2ecabe2ef7a'

 

 

Filter gets applied

=========

2015-01-07 16:30:55,822 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1209) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)[LDAPFullSync] Filter - (&(objectClass=userProxy)(!(objectClass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

 

 

Error as no user could be found

=========

2015-01-07 16:30:55,825 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1625) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a) Do count=0

2015-01-07 16:30:55,825 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1626) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a) Base=dc=uc, dc=com

2015-01-07 16:30:55,825 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1627) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a) Filter=(&(objectClass=userProxy)(!(objectClass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

2015-01-07 16:30:55,826 INFO  [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1634) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a) Number of page searched :1

2015-01-07 16:30:55,826 INFO  [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1640) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a) Dirsync synched zero users. Please verify the custom LDAP filter configured for this agreement

2015-01-07 16:30:55,826 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] common.DSAlarm (DSAlarm.java:49) - DSAlarm.sendAlarmWithParameter Send alarm for AgreementId=d516b45e-5da2-c7df-7f76-e2ecabe2ef7a:null=null

2015-01-07 16:30:55,826 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] common.DSAlarm (DSAlarm.java:63) - DSAlarm.sendAlarmWithParameter AlarmTable has 1 parameters

2015-01-07 16:30:55,826 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] common.DSAlarm (DSAlarm.java:69) - DSAlarm.sendAlarm Alarm sent

2015-01-07 16:30:55,826 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1669) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)[searchInternalExact] Send user data to DBinterface-2

2015-01-07 16:30:55,827 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1279) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)[sendUserData] ChangeMode:1

2015-01-07 16:30:55,827 DEBUG [DSLDAPSyncImpl(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1390) - LDAPSync(d516b45e-5da2-c7df-7f76-e2ecabe2ef7a)[sendUserData] sendUserData - Exit

 

 

Error:- Dirsync synced zero users. Please verify the custom LDAP filter configured for this agreement

 

 As per the logs the objectClass=userProxy is not able to find any user in the ADLDS database and is excluding objectClass=Computerand msDS-UserAccountDisabled=TRUE. Which is absolutely good from filters point of view. The CUCM is trying to search the object class and when it does not find any user in the database it completes the sync and no users get imported. 

Kindly contact Microsoft further to check further. Closing the case as per discussion

Additional background on Userproxy Object Class : 

userProxy is specific to ADAM/LDS and is just an object of the user class containing the ms-DS-Bind-Proxy auxillary class and no password.

When a user matching a userProxy object in an ADAM/LDS partition is authenticated using a simple bind, the request is proxied to an Active Directory partition containing the actualuser object. Thus, the userProxy object's objectSID has to match the SID of an existing enableduser object in an Active Directory partition that the ADAM/LDS partition can proxy requests to.

That way an ADAM/LDS application can authenticate AD users without storing/caching passwords.

Franki

Security Event ID 4768

January 9, 2015, 7:19 am
$
0
0

I'm using SCOM to monitor authentication of specific accounts in AD. For the most part it's working fine, the key piece of information though is the UserID and the Client Address. Most of the time I will be able to see an IP address be for some reason the Client Address is displayed as ::1. Does anyone know why this happens and how to fix it?

Account Information:

               Account Name:                 jsloan-ad

               Supplied Realm Name:  ABCDOMAIN

               User ID:                                               ABCDOMAIN\jsloan-ad

Service Information:

               Service Name:                  krbtgt

               Service ID:                          ABCDOMAIN\krbtgt

Network Information:

               Client Address:                ::1

               Client Port:                        0

Additional Information:

               Ticket Options:                 0x40810010

               Result Code:                     0x0

               Ticket Encryption Type:0x12

               Pre-Authentication Type:            2

Certificate Information:

               Certificate Issuer Name:                              

               Certificate Serial Number:           

               Certificate Thumbprint:                

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

 
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>