New virtual 2008 DC - Some domain users unable to establish LDAP connection

January 8, 2015, 12:59 pm

≫ Next: Active Directory Replication 2008 R2

≪ Previous: how to connect to Active directory lds instance using LDAP connection

Last night, I DCPROMO'd a physical 2008 R2 DC after ensuring the virtual 2008 R2 DC was fully replicated. Today, select users are unable to sign in to an application that uses LDAP authentication.

On the DC, if I attempt to use LDP with an affect user's credentials, I get the following:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='dj'; Pwd=<unavailable>; domain = 'domain.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 531, v1db1
Error 0x8009030C The logon attempt failed

Any thoughts on what I could be looking for? The old DC and the new virtual one were both global catalogs only.

↧

Active Directory Replication 2008 R2

January 5, 2015, 1:06 pm

≫ Next: Windows 2012 Fine Grained Password Policy - Unintended Consequences

≪ Previous: New virtual 2008 DC - Some domain users unable to establish LDAP connection

We are getting an error as "The following server could not be reached (topology incomplete)"

Domain Controllers: 2008 R2

How can we resolve this issue.

Aravind

↧

Windows 2012 Fine Grained Password Policy - Unintended Consequences

January 12, 2015, 11:21 am

≫ Next: How do I use Get-Aduser

≪ Previous: Active Directory Replication 2008 R2

We are a Windows 2012 AD environment, and I would like to create my first Fine Grained Password Policy.

Before doing so, I would like to know if there are any unintended consequences or gotcha's.

I would like to create one with me in the policy.

Then, what happens to the other 400 users in AD?

Thanks

Ron

↧

How do I use Get-Aduser

January 12, 2015, 3:20 pm

≫ Next: ADFS Authentication across forest bondries.

≪ Previous: Windows 2012 Fine Grained Password Policy - Unintended Consequences

How do I use the cmdlet Get-ADuser to retrieve all modification dates?

Im looking for all dates the account has been modified not just the last or first time the account had been created. I have tried several times, but I am new to powershell and still learning.

So far this is the only command I have found that is similar to my problem but does not give me my answer:

Get-ADUser -Filter * -Properties Modified | Where {$_.Modified -ge $(Get-Date).AddDays(-1)}
If I can find my answer it will help automate my accounts

↧

ADFS Authentication across forest bondries.

January 12, 2015, 12:59 pm

≫ Next: AD ACL issue

≪ Previous: How do I use Get-Aduser

I have two active directory forest (Forest A & Forest B) I have SharePoint running in one Forest Forrest A. I have accounts in both forest that I need to authenticate to SharePoint.

I have ADFS 3.0 running in both forest and a federated trust between the forest. As we know ADFS is not bidirectional. So the currently configuration is Forest B is sending the claim to SharePoint and Forest A is passing it through. When users from Forest A go to login to the site they are able to authenticate without any issue.

When users from Forest A try to login this is where we receive the infamous error below. and Event ID 364 in the event view.

Can someone please shed some light on this issue.

Activity ID: 00000000-0000-0000-3500-0080010000ec
Relying party: SharePoint 2013
Error time: Mon, 12 Jan 2015 19:07:49 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; Tablet PC 2.0; InfoPath.3; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)

Event ID 364:

Encountered error during federation passive request.

Additional Data

Protocol Name:

wsfed

Relying Party:

urn:sharepoint:bgca

Exception details:

System.Net.HttpListenerException (0x80004005): An operation was attempted on a nonexistent network connection

at System.Net.HttpRequestStream.Read(Byte[] buffer, Int32 offset, Int32 size)

at Microsoft.IdentityServer.WebHost.DefaultHttpListenerAdapter.PostBody()

at Microsoft.IdentityServer.WebHost.WrappedHttpListenerRequest.PostBody()

at Microsoft.IdentityServer.Web.UI.PageBase..ctor(WrappedHttpListenerContext httpListenerContext, IList`1 customCulture)

at Microsoft.IdentityServer.Web.UI.AuthenticationPageBase..ctor(WrappedHttpListenerContext context, ReadOnlyCollection`1 options, IAuthenticationHandler selectedOption, Boolean otherOptions, Boolean renderAllOptionsExplicitly, Boolean isSecondStageAuthentication, String username, Int32[] customLocales)

at Microsoft.IdentityServer.Web.UI.LoginPage..ctor(WrappedHttpListenerContext context, ReadOnlyCollection`1 options, IAuthenticationHandler selectedOption, Boolean otherOptions, Boolean isSecondStageAuthentication, Boolean isKmsiVisible, String username)

at Microsoft.IdentityServer.Web.Authentication.FormsAuthenticationHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

<v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f">
<v:stroke joinstyle="miter">
<v:formulas>  <v:f eqn="if lineDrawn pixelLineWidth 0">
  <v:f eqn="sum @0 1 0">
  <v:f eqn="sum 0 0 @1">
  <v:f eqn="prod @2 1 2">
  <v:f eqn="prod @3 21600 pixelWidth">
  <v:f eqn="prod @3 21600 pixelHeight">
  <v:f eqn="sum @0 0 1">
  <v:f eqn="prod @6 1 2">
  <v:f eqn="prod @7 21600 pixelWidth">
  <v:f eqn="sum @8 21600 0">
  <v:f eqn="prod @7 21600 pixelHeight">
  <v:f eqn="sum @10 21600 0">
</v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas>
<v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f">
<o:lock aspectratio="t" v:ext="edit">
</o:lock></v:path></v:stroke></v:shapetype><v:shape alt="" id="Picture_x0020_1" o:spid="_x0000_i1025" style="width:22in;height:612.75pt;" type="#_x0000_t75">
<v:imagedata o:href="cid:image001.jpg@01D02E79.93B7A130" src="file:///C:\Users\TIMOTH~1.HAL\AppData\Local\Temp\msohtmlclip1\01\clip_image001.jpg">
</v:imagedata></v:shape>

Thustle

↧

AD ACL issue

January 12, 2015, 8:12 pm

≫ Next: Group policy not locked

≪ Previous: ADFS Authentication across forest bondries.

Hi all,

I use Windows Server 2008 R2 as domain controller.

Now, I encounter a ACL issue. All of my domain admin members can't change password using crtl+alt+del.

It works after I check the "Change passowrd" check-box.

But the weird thing is it will be uncheck automatically for a while so that cause domain admin users can't change password next time.

Does anyone be able to give me some input ?

↧

Group policy not locked

January 12, 2015, 1:37 pm

≫ Next: Can changing an Administrator password interfere with Site to site replication?

≪ Previous: AD ACL issue

Created a domain group policy & applied it at the OU level with a group security filtering.
With gpresult /r I can see the group policy has been applied to the computers which are part of that group.
But when I run gpedit.msc I'm able to edit the local policies which are actually included in my domain group policy & ideally it should show me the configuration done on them at the domain group policy level & should be locked(not allowing me to change it). But that's not the case.

Just wondering why this is happening?

↧

Can changing an Administrator password interfere with Site to site replication?

January 12, 2015, 10:29 pm

≫ Next: Establishing a connection between a developer computer to an AD server

≪ Previous: Group policy not locked

Wondering if inbuilt Administrator password can interfere with Site to site replication? We have 3 sites and replication has not been working since one of the domain controllers was taken ofline this happeen during the same time the inbuilt administrator password was changed. I would like to know so that i can focus on where it went wrong. Any help apreciated.

↧

Establishing a connection between a developer computer to an AD server

January 12, 2015, 9:33 pm

≫ Next: Reverse Look Up Zone - unknown IP

≪ Previous: Can changing an Administrator password interfere with Site to site replication?

Hi All,

I have a computer where my developers are writing code to establish a connection to the AD server.

Developer's computer and AD server are different domains. Is there a way out to establish the connection ?

Clue: I m not able to ping and lookup the AD domain.

Thank you for your support in advance.

Regards, Prabhu

↧

Reverse Look Up Zone - unknown IP

January 13, 2015, 1:25 am

≫ Next: Security-Kerberos Event ID 4 KRB_AP_ERR_MODIFIED for DC, target name cifs/domain

≪ Previous: Establishing a connection between a developer computer to an AD server

hello guys, i noticed on my DNS box.

There is a wrong reverse look up IP Address.

I tried to ping the IP Address, there is no reply.

It's not one of the local subnet IP.

Is it okay to delete?

Thanks,

Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
IT Stuff Quick Bytes

↧

Security-Kerberos Event ID 4 KRB_AP_ERR_MODIFIED for DC, target name cifs/domain

December 22, 2014, 10:49 am

≫ Next: w32tm /monitor - does not display correctly when NTP IP can not be resolved

≪ Previous: Reverse Look Up Zone - unknown IP

I've been finding this event in logs on computers in my domain recently. I've seen it on a variety of servers and workstations, so I think it's probably affecting all domain members. The specific domain controller mentioned in the text of the event varies, it could be any one of our domain controllers. I'm not sure when it started. I've been trying to search for a solution, but so far I'm not finding anything that quite fits.

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          12/22/2014 10:21:55 AM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      HOST.DOMAIN.COM
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DOMAINCONTROLLER$. The target name used was cifs/DOMAIN.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

How can I track down the cause of this issue?

↧

w32tm /monitor - does not display correctly when NTP IP can not be resolved

January 13, 2015, 4:09 am

≫ Next: The Specified Network Name Is No Longer Available access is denied.

≪ Previous: Security-Kerberos Event ID 4 KRB_AP_ERR_MODIFIED for DC, target name cifs/domain

Windows 2008r2:

If you set an NTP time source as an IP address and there is no way for the IP to be resolved into a name, why does not it not show the IP (without name) under w32tm /monitor?

You can add a lookup in many ways to address this, but I don't see why this should be required.

↧

The Specified Network Name Is No Longer Available access is denied.

January 7, 2015, 6:58 am

≫ Next: Active Directory Sites And Services Replication

≪ Previous: w32tm /monitor - does not display correctly when NTP IP can not be resolved

Hi Everone,

I have 2 file server , one is windows 2012 and other one is windows 2003. From last week i am getting a strange error. Am not able to access the shared folder of 2003 server from 2012 and vice versa using name as well as ip address.

The Specified Network Name IsNo Longer Availableaccess is denied.

Can anybody help me to resolve this error.

Regards,

Neel kamal

↧

Active Directory Sites And Services Replication

January 12, 2015, 12:15 pm

≫ Next: Trust Domain Failed

≪ Previous: The Specified Network Name Is No Longer Available access is denied.

Hi,

I have a multi-site AD Environment with domain abc.com. When i observe AD replication In Active Directory Sites and Services, all other sites have replication connection with site5.abc.com. However, i want site4.domain.com to act as master for AD replication. A general diagram is appended below for reference:-

netdom query fsmo shows that site1 has following:-

Schema Master
Domain Naming Master
PDC
RID Pool Manager
Infrastructure Master

I will be thankful for any help in resolving above issue.

Regards,

Muhammad Qasim.

↧

Trust Domain Failed

January 13, 2015, 3:20 am

≫ Next: Multiple Domain active directory authentication

≪ Previous: Active Directory Sites And Services Replication

Hi all,

I'm experiencing some issue while performing a trust domain between two separated domains.

Servers in 1st domain are all Windows 2008 R2 (Domain functional level Windows 2008 R2, Forest functional level Windows 2008 R2)

Servers in 2nd domain are all Windows 2008 (Domain functional level Windows 2008, Forest functional level Windows 2008)

I'd want to establish a one way incoming trust in 1st domain and one way outgoing trust in 2nd domain.

The two domains have very similar names. Just consider for example test.it for 1st domain and test.com for 2nd domain.

So, I created a stub zone on respective domains and start trust wizard but it failed with "trust relationship cannot be created. operation can not be performed on the current domain" message.

I suppose it's a domain name matter but I can't get rid of it. :-(

please help me...

↧

Multiple Domain active directory authentication

January 13, 2015, 3:15 am

≫ Next: New DCs not replicating: KCC error Event ID 1014, 1663 and 1435

≪ Previous: Trust Domain Failed

I have an active domain environment that looks like this.

Domain A Domain A controller in Site 1 Domain B Domain B controller in Site 2

If a user in Site 1 is a member of Domain B. Can the Domain A Domain controller handle the authentication or does the user's request go out to find a domain controller in Domain B? trying to understand how it works.

I guess the question is if we have 2 domains do we need both domain controllers (one for each) at each site?

They are all both global catalog servers and a trust is set up.

I don't know if a user from one domain can authenticate to a different DC.

Thanks

↧

New DCs not replicating: KCC error Event ID 1014, 1663 and 1435

January 13, 2015, 3:15 am

≫ Next: Strange DCLocator behavior on servers in perimeter network with RODC

≪ Previous: Multiple Domain active directory authentication

Hi *.*,

Even though I have been working with AD for some years, I have now one of the werdiest errors I have ever faced. To point it out quickly, AD features:

1 forest, 4 domains.
44 DCs, most of them running in Windows Server 2003 SP2. About 2 DC running Windows Server 2008 R2.
Functional Level: Windows Server 2003
All of them working correctly, according to dcdiag.exe
Database file integrity and semantic analysis are OK

However, as soon as we add a new DC to any domain of the forest, problems begin:

Primary replication works perfectly and the DC receives all the data.
After promoting the computer restarts and I get three KCC warnings in the event log.
No more replication happens after promotion, as there is no replication partners; Domain Controller is not functional at this point. Some replication works if I add the partners manually, but the KCC error persist.

The following errors can be seen in the Event Viewer, the three of them each 15 minutes:

================== Event ID 1014
The Knowledge Consistency Checker (KCC) failed to update the replication topology for the local directory service. The KCC will attempt to update the replication topology at the following scheduled interval.

KCC update interval:
900

By default, updates occur every 15 minutes.

User Action
If this continues to occur, restart the directory service.

Additional Data
Error value:
8409 A database error has occurred.
Internal ID:
f0700cb

================== Event ID 1663
The Knowledge Consistency Checker (KCC) did not initialize its configuration cache.

This operation will be tried again later.

User Action
If this condition continues, restart the directory service.

Additional Data
Internal ID:
f1000d2

================== Event ID 1435
The Knowledge Consistency Checker (KCC) encountered an unexpected error while performing an Active Directory Domain Services operation.

Operation type:
KccSearch
Object distinguished name:
CN=Partitions,CN=Configuration,DC=domain,DC=com

The operation will be retried at the next KCC interval.

Additional Data
Error value:
1 0000206F: AtrErr: DSID-031200EB, #1:
	0: 0000206F: DSID-031200EB, problem 1003 (UNDEFINED_ATT_TYPE), data 0, Att 907af (Not in cache!)

Internal ID:
f030308

Any idea or advice are very welcome :)

↧

Strange DCLocator behavior on servers in perimeter network with RODC

January 13, 2015, 3:55 am

≫ Next: How to hide and then unhide AD objetcs?

≪ Previous: New DCs not replicating: KCC error Event ID 1014, 1663 and 1435

Hi,

We have an RODC in a perimeter network that is configured through Sites and Services to handle logon requests for the perimeter networks subnets. We've seen some strange behavior with the logons on this network though.

* If a user logs on a server in the perimeter network, and is a member of "allowed RODC Password Replication" group, and has their password prepopulated, the logon is near instant
* If a user logs on a server in the perimeter network, and is a member of "allowed RODC Password Replication" group, but doesn't have their password prepopulated, the logon takes around 20 seconds on first logon, and near instant on any subsequent logons on any server in the perimeter network. (the password is now cached)
* If a user logs on a server in the perimeter network, and is not a member of "allowed RODC password replication" group, all logons take around 20 seconds.

We've done a few traces on the servers with Wireshark, and during the logons without cached or prepopulated passwords, we see communcation with the RODC at logon, then a long pause (about 20 seconds), and then continued communcation with the RODC, and the logon continues.
During this pause, we see the server trying to communicate with one of our RWDC's outside the perimeter network (on port 445), which is not possible, and we believe this is what's causing the delay in logon. From what I've gathered this is not normal behavior.
We've re-verified that the sites are set up correctly, as nltest /dsgetdc:domain.local returns the RODC, and correct perimiter network Site.

We've also checked netlogon logs, but haven't gotten any answers from that either. Though occasionally we see DC locator requesting a writable DC, and dropping the RODC with reason "responder is not a writable server", which is correct ofcourse. Though we're not sure if this is the logon request or some other service we've got running on the server, so we've not gone further into investigating this at this time.

Any tips on what we could check next?

The RODC is a 2012R2 server in a 2012R2 Domain (both domain and forest level functionality raised), and the memberservers are all also 2012R2 servers.

Best regards,
Pouria

↧

How to hide and then unhide AD objetcs?

January 3, 2015, 1:34 pm

≫ Next: Restoring Virtualized Domain Controllers

≪ Previous: Strange DCLocator behavior on servers in perimeter network with RODC

Dear all,

I want to know how to hide and then unhide AD objects?

Thanks

Regards

↧

Restoring Virtualized Domain Controllers

January 6, 2015, 10:02 am

≫ Next: Slow response in active directory connections from client machines

≪ Previous: How to hide and then unhide AD objetcs?

http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers

The article above has an illustration to determine the best way to restore a virtualized DC. I have several questions about this chart.

1. The step titled "Deploy the VHD against a new VM, and restart in normal mode" - Must a new VM be created in HyperV, or can the VHD just be replaced with a backup?

2. The steps titled "Restore the Virtual machine instance that predates the failure" - Is it really necessary to start in DSRM mode and set this registry value if the backup is an application consistent, image based backup where what you are doing is restoring the VHDX file?

3. What will happen if you restart a Domain Controller that in good condition and go into DSRM mode and set the "database restored from backup" to 1?

↧