Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Implementing CNAME www.google.com pointing to nosslsearch.google.com without making DNS server authoritative for google.com domain?

February 6, 2012, 9:59 am
$
0
0

Google has made my life somewhat difficult lately by encrypting everything if you are logged into a Google account or using encrypted.google.com.  The SSL encryption causes my URL and network application filtering appliance to fail miserably at blocking certain types of material that comes up in Google searches that it would normally block on an unencrypted connection.

I have discovered that Google provides a method of forcing Google searches to be unencrypted. That solution can be seen at the following link:  http://support.google.com/websearch/bin/answer.py?hl=en&answer=173733.

Part of the solution is to create a CNAME record "www.google.com" that points to “nosslsearch.google.com”; however, I am having trouble figuring out how to successfully accomplish this. If they have their own article on the specific implementation of this record, I have not been able to locate it.

I have a Windows Server 2008 R2 Active Directory forest, with all domain controllers also acting as DNS servers (AD integrated). My understanding is that if I attempt to add a forward lookup zone “google.com” and add the desired CNAME record, my internal DNS servers become authoritative for the google.com domain name. Basically, absent any other resource records in the google.com forward lookup zone in our internal DNS servers, DNS requests for other hosts or subdomains in the google.com domain would simply fail. Examples would be Google Docs and Gmail, which are docs.google.com and mail.google.com, respectively.

Is there some way to configure a Windows Server 2008 R2 SP1 DNS server so that it contains the desired CNAME record but forwards other DNS lookup requests for other hosts/subdomains for google.com to the configured forwarding servers (or at least to the nameservers listed for google.com)?

Search

Confusion with LDAP Anonymous Simple Bind and Pre-Windows 2000 Compatible Access Group

January 26, 2015, 7:11 am
$
0
0

Hi

Whilst trying to understand functionality of "BUILTIN\Pre-Windows 2000 Compatible Access group" and i was able to enumerate a specific set of Information ANONYMOUSLY when using certain APIs like SAMR named pipe with SMB, detailed HERE. The tool i used to enumerate Information anonymously from AD using a a NULL session is called SuperScan.

The Key in this First Scenario is add to special identity"NT AUTHORITY\ANONYMOUS LOGON" to "BUILTIN\Pre-Windows 2000 Compatible Access group" and use a software which uses noted APIs to query/enumerate information.

If we look at Default Security Descriptor of Domain, we can Pre-Windows 2000 group is present with some pre-defined level of granted rights (Refer first image pasted below).

Now i continue with the Second Scenario where i try to enumerate information anonymously but using LDAP/LDP.exe

Now by default with Windows Server 2003, anonymous LDAP Bind operation isn't permitted, unless this behavior is explicitly has been overridden usingDsHeuristics attribute. As per this article, author indeed changed the noted attribute value but he also changed the Security Descriptor of targetted Containers (in author's case - SENECA) to allow "NT AUTHORITY\Anonymous Logon" with List Contents and Read permission!

Now if we don't add & grant rights to "NT AUTHORITY\Anonymous Logon" for the given container/object, then we won't be able to Search/Browse information anonymously using LDP.exeand this is the part that confuses me.

If i look at the default ACL of Domain Object, we see that by default, multiple permissions including LIST contents & READ permission exist for "BUILTIN\Pre-Windows 2000 Compatible Access group" applied recursively (This Object and all child Objects), as shown in attachment.


Now If i have already added "NT AUTHORITY\ANONYMOUS LOGON" to "BUILTIN\Pre-Windows 2000 Compatible Access group", then "NT AUTHORITY\Anonymous Logon" should automatically possess all of the rights adhered by "BUILTIN\Pre-Windows 2000 Compatible Access group" and i should be able to view information anonymously using Simple LDAP bind, but indeed its NOT! Please correct me if i am wrong here.

I am trying to enumerate information under USERS container anonymously.

Please Assist.


OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best




Dir-Sync - IDFix

January 28, 2015, 6:41 am
$
0
0

Hi - hope this is the right forum (I find the number of different forums v confusing)

I am running IDfix against my AD, in preparation for syncing with Office 365

However, I don't quite understand the following

it is quite rightly identifying the .local as an error - but in the suggested UPDATE column the tool is simply repeating the .local address, why

if an  mail alias has a non standard character eg ? the tool suggests in the update column the correct choice - i.e. without the ?

why is it not doing this for the .local




Username tab blank on logon screen after locking the system

January 28, 2015, 4:16 pm
$
0
0

Two Windows Server 2012 R2 Domain Controllers in the environment.

All machines are running Windows 7 Enterprise.

There are separate group policies for IT Team and User team.

On user computer when they lock the machine and press CTRL+ALT+Del the user name field is blank.

On IT computer when they lock the machine and press CTRL+ALT+Del the user name field has current logged on user.

I am unable to located the group policy that will cause this behavior.

Please advise.

The  below articles discuss the issue however none of the resolution worked.

How to Display User Information or Not when a Windows Session is Locked
http://www.sevenforums.com/tutorials/182700-lock-computer-screen-display-user-information-not.html

How to Make Windows 7 Require a User Name and Password in Log On Screen
http://www.sevenforums.com/tutorials/61650-log-user-name-password.html

Proxy Address's

January 28, 2015, 7:28 pm
$
0
0

Hi All, is there a tool or script (besides ASDI edit) i can use to add proxyaddresses in Active Directory which can bulk add for each user?

for example

John.smith@domain.com is the username but i want

johns@domain.com as a proxy address which will be the same for the rest of the users.

thanks

ADFS 3.0 SAML assertion not an HTTP POST

January 28, 2015, 7:11 pm
$
0
0

Hi All,

I have the task of setting up SSO using SAML with component space. The identity provider is ADFS.

Using both ADFS 2 and 3 (on servers 2008 R2 and 2012 R2) the assertion results in the following error:

----------------------------------------------------------------------------

The message is not an HTTP POST.

Description:
An unhandled exception occurred during the execution of the current web
request. Please review the stack trace for more information about the error and
where it originated in the code.

Exception Details:
ComponentSpace.SAML2.Exceptions.SAMLBindingException: The message is not an
HTTP POST.

Source Error:
An unhandled exception was generated during the execution of the
current web request. Information regarding the origin and location of the
exception can be identified using the exception stack trace below.

Stack Trace:
[SAMLBindingException: The message is not an HTTP POST.]
   ComponentSpace.SAML2.Bindings.HTTPPostBinding.ReceiveResponse(HttpRequest httpRequest, XmlElement& samlMessage, String& relayState) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPPostBinding.cs:461
   ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:690
   ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, IDictionary`2& attributes, String& relayState) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:385
   SamlServiceProvider.AssertionConsumerService.Page_Load(Object sender, EventArgs e) in c:\Users\Scott\Documents\Visual Studio 2013\Projects\SamlServiceProvider\SamlServiceProvider\SAML\AssertionConsumerService.aspx.cs:34
   System.Web.UI.Control.LoadRecursive() +71
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178

----------------------------------------------------------------------------

The offending request is:

GET /SAML/AssertionConsumerService HTTP/1.1

Cache-Control: no-cache
Connection: Keep-Alive
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-NZ

Referer: {adfs server}

I think ADFS might be at fault.

Thanks,

Scott

Authentication of Unix or Linux Systems via Active Directory

January 29, 2015, 2:59 am
$
0
0

Hi,

Is there a inbuilt solution in Windows 2012 R2 which can be used to authenticate Unix or Linux users ?

I understand there are there are many 3rd Party solution for this but I want to know if there is any available inbuilt in Windows Server.

Thanks

Vivek

Cannot join workstations to domain - DNS ldap records gone

January 28, 2015, 8:09 am
$
0
0

Hello.

Last month I had RAID issues with an old windows 2003 server. I've managed to recover  (so I thought) and boot it.

Today while joining workstations to my domain I got:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs."my.domain.com"

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are
registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set
intervals. This computer is configured to use DNS servers with the following IP addresses:

I've issued "dcdiag /fix" but I also got the following errors.


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\myserver
      Starting test: Connectivity
         The host 707374ab-bb88-48d4-b7de-00a3710ec8af._msdcs.my.domain.com could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (707374ab-bb88-48d4-b7de-00a3710ec8af._msdcs.my.domain.com) couldn't

         be resolved, the server name (myserver.my.domain.com) resolved to the IP

         address (193.136.66.26) and was pingable.  Check that the IP address

         is registered correctly with the DNS server. 
         ......................... myserver failed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\myserver
      Skipping all tests, because server myserver is
      not responding to directory service requests
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : win
      Starting test: CrossRefValidation
         ......................... win passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... win passed test CheckSDRefDom
   
   Running enterprise tests on : my.domain.com
      Starting test: Intersite
         ......................... my.domain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... my.domain.com passed test FsmoCheck

When I went to check my DC, wich is also the DNS server, I've found that the "_ldap._tcp.dc"... records do not exist anymore.

I was suspicious that there was some data I couldn't restore, now I'm sure.

Is there any way to restore the dns data for my domain, or do I have to use DCPROMO and start from scratch?

Thanks and regards.

Dave

Search

Transform claim value (personalidentitynumber) ADFS 3.0

January 29, 2015, 3:01 am
$
0
0

Hi,

If i want to send a personal identity nr as a claim to a web application, is it possible to remove the year-part of the number when sending the claim.

For example if the attribute has a value of 191212121212 i would like to send it as 1212121212.

/Bo

both



Sharepoint and LastLogonTimeStamp

January 29, 2015, 3:39 am
$
0
0

Hi All,

I understand the difference between the "Last Logon" and "LastLogonTImestamp" attributes in AD in that only the LastLogonTimeStamp is replicated but I what I dont know or understand is whether the LastLogonTimeStamp is update for a user who only uses their account to access a sharepoint site in my domain.

SO I have a user, who doesnt logon to a domain workstation, doesnt log on to the domain but accesses a sharepoint site.  Would you expect to see their lastlogontimestamp updated? And if not why not?

Regards

Patrick Horne

Upgrade to ADFS 3 without Proxy

January 29, 2015, 5:53 am
$
0
0

My current environment runs ADFS 2..0 w/o proxies (long story as to why) and we are testing an upgrade to ADFS 3. We built the new ADFS 3 farm and imported the ADFS 2.0 configuration. We use host files to point to and test the ADFS 3 farm. We are able to successfully connect to O365 through the ADFS 3 farm but we are forced to enter credentials in a separate pop-up window. Our current ADFS 2 farm does not do this.  In our testing, the only way the pop-up window went away was to configure the Application Proxy. Then we saw the typical sign-in page we normally see when signing in to O365 via our ADFS 2 farm.

We've configured the sign-in page via the ADFS 3 Powershell cmdlet but we can't get rid of the pop-up window without putting the App Proxy in front of ADFS. How do we get the proper sign-in page whether using a proxy or not with ADFS 3?

Active Directory Replication and time sync problem

January 28, 2015, 5:48 pm
$
0
0

A new client has a network with two sites and four domain controllers.  I will call them sites A and B.   Each site has two domain controllers.  One domain controller at each site is server 2012 and the other is server 2003.

aiserversv site A server 2012

ai-admin1 site A server 2003 (has all FSMO roles)

aiserverrc site B server 2012

ai-admin2 site B server 2003

The FSMO roles are all on a server 2003 server at site A.

Replication to servers at site B has not happened since Feb 7 2014.

Digging deeper I find that time at site B is not synced properly.  I suspect that is the reason for the lack of AD replication.  AI-admin2 and aiserverrc are the site B servers.

PS C:\Users\administrator.ASSISTINTL> w32tm /query /status /verbose
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0100000s
ReferenceId: 0x564D5450 (source IP:  86.77.84.80)
Last Successful Sync Time: 1/10/2015 8:25:17 AM
Source: VM IC Time Synchronization Provider
Poll Interval: 6 (64s)

Phase Offset: 0.0009627s
ClockRate: 0.0156250s
State Machine: 2 (Sync)
Time Source Flags: 3 (Authenticated Hardware )
Server Role: 64 (Time Service)
Last Sync Error: 0 (The command completed successfully.)
Time since Last Good Sync Time: 25.3554836s

PS C:\Users\administrator.ASSISTINTL> w32tm /monitor
ai-admin2.assistinternational.org[10.1.3.50:123]:
    ICMP: 0ms delay
    NTP: -709.8786568s offset from ai-admin1.assistinternational.org
        RefID: (unspecified / unsynchronized) [0x00000000]
        Stratum: 0
ai-admin1.assistinternational.org *** PDC ***[10.1.1.14:123]:
    ICMP: 47ms delay
    NTP: +0.0000000s offset from ai-admin1.assistinternational.org
        RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
        Stratum: 2
AISERVERRC.assistinternational.org[[fe80::3098:2349:bc6c:c6c1%15]:123]:
    ICMP: 0ms delay
    NTP: -155.5423334s offset from ai-admin1.assistinternational.org
        RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
        Stratum: 2
AISERVERSV.assistinternational.org[10.1.1.20:123]:
    ICMP: 52ms delay
    NTP: +0.0093190s offset from ai-admin1.assistinternational.org
        RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
        Stratum: 2


Why is there an offset and how can I correct that situation?

I want to eliminate the server 2003 domain controllers.  There are a total of 22 workstations at the combined sites so I do not see a need for 4 domain controllers.   Before I do anything I want to have the clocks sync right and get replication working again.

What is the best strategy to recover this situation - to get clocks syncing and to get replication working again? 

Problem to join Windows Active Directory Domain with VPN connection

January 29, 2015, 5:10 pm
$
0
0
Our existing domain users are unable to login to the new workstation that join to the domain “ when connecting via VPN connection from the office branch. The new machine name was found the AD server after joining to the domain successfully.

The message getting from the login console is “The security database on the server does not have a computer account for this workstation trust relationship.”

If  the workstation is joined to the domain from HQ network and bring down to the office branch, there is no problem for the users to login via VPN connection.

What would be the cause of it? Users can connect to DNS servers, AD servers, exchange servers, file servers without any issue via VPN connection.

 

Not allow user to copy files Windows Server 2008 R2 as file server

January 28, 2015, 1:47 am
$
0
0

Dear All,

We have windows 2008 r2 as file server and want to configure that users not allow to copy files from one location to other location.

please help how to implement this.

Sunil

SUNIL PATEL SYSTEM ADMINISTRATOR

AdamSync logging

January 28, 2015, 8:06 am
$
0
0

Hi,

Is there a way of logging verbosely what Adamsync is doing?    I use the /log command line,  but this only gives summary information by the look of it.

The problem I have is that Adamsync is not importing all the data that I expect it to...

If I run this command against the domain controller that Adamsync normally talks to,  

csvde -f data4.csv -s b06721 -d "dc=xxxx,dc=root,dc=local"
 -p subtree -v -l "DN, userPrincipalName" -r "(&(objectClass=User)(objectCategor
y=person))"

then the export has about 3500 entries,   and includes the user that I'm interested in.

The AD LDS instance has this configuration file

<?xml version="1.0"?>
<doc>    
 <configuration>        
  <description>sample Adamsync configuration file</description>        
  <security-mode>object</security-mode>            
  <source-ad-name>xxxx.root.local</source-ad-name>        
  <source-ad-partition>dc=xxxx,dc=root,dc=local</source-ad-partition>
  <source-ad-account>servicenowldap</source-ad-account>                
  <account-domain>xxxx-ad</account-domain>
  <target-dn>dc=xxxx,dc=co,dc=uk</target-dn>        
  <query>            
   <base-dn>dc=xxxx,dc=root,dc=local</base-dn>
   <object-filter>(&amp;(objectClass=User)(objectCategory=person))</object-filter>            
   <attributes>                
     <include>objectSID</include>
     <include>userPrincipalName</include>
     <include>sAMAccountName</include>
     <include>displayName</include>
     <include>givenName</include>
     <include>sn</include>
     <include>physicalDeliveryOfficeName</include>
     <include>telephoneNumber</include>
     <include>mail</include>
     <include>title</include>
     <include>department</include>
     <include>manager</include>
     <include>mobile</include>
     <include>company</include>
     <exclude></exclude>                
   </attributes>        
  </query>        
  <schedule>            
   <aging>                
    <frequency>0</frequency>                
    <num-objects>0</num-objects>            
   </aging>            
   <schtasks-cmd></schtasks-cmd>        
  </schedule>
  <user-proxy>
  <source-object-class>user</source-object-class>
  <target-object-class>userProxyFull</target-object-class>
  </user-proxy>    
 </configuration>    
 <synchronizer-state>        
  <dirsync-cookie></dirsync-cookie>        
  <status></status>        
  <authoritative-adam-instance></authoritative-adam-instance>        
  <configuration-file-guid></configuration-file-guid>        
  <last-sync-attempt-time></last-sync-attempt-time>        
  <last-sync-success-time></last-sync-success-time>        
  <last-sync-error-time></last-sync-error-time>        
  <last-sync-error-string></last-sync-error-string>        
  <consecutive-sync-failures></consecutive-sync-failures>        
  <user-credentials></user-credentials>        
  <runs-since-last-object-update></runs-since-last-object-update>        
  <runs-since-last-full-sync></runs-since-last-full-sync>    
 </synchronizer-state>
</doc>

When I run the sync command, 

adamsync /sync v0153 "dc=xxxx,dc=co,dc=uk" /log sync1.log

The import runs successfully without any ldap errors,  and will produce the summary output such as

Updating the configuration file DirSync cookie with a new value.



Beginning processing of deferred dn references.

Finished processing of deferred dn references.



Finished (successful) synchronization run.

Number of entries processed via dirSync: 19

Number of entries processed via ldap: 2

Processing took 0 seconds (0, 0).

Number of object additions: 2

Number of object modifications: 17

Number of object deletions: 0

Number of object renames: 2

Number of references processed / dropped: 0, 0

Maximum number of attributes seen on a single object: 12

Maximum number of values retrieved via range syntax: 0



Beginning aging run.

Aging requested every 0 runs. We last aged 2 runs ago.

Saving Configuration File on DC=xxxx,DC=co,DC=uk

Saved configuration file.

But the new user I need is missing from AD LDS instance.    There are no replication issues on the source AD,  and the csvde command proves that the data I need can be found.   I'm using the same ldap filter for both the csvde command and adamsync.

Any suggestions would be very welcome.    The AD LDS instance is running on a Windows 2008 R2 server,  and is importing from a  Windows 2003 domain.

Regards,

John

Search

UPN Suffix Routing not working

January 29, 2015, 12:01 pm
$
0
0

Hello,

We have an UPN Suffix routing problem at our customer and I'm not sure we can solve it because of the forest root domain name.

The current situation:

We have a forest root domain called fr.contoso.com which has a two-way forest trust with a newly created domainad.local.

Within the forest root domain there are two seperate domains called ad.contoso.com andad.fabrikam.com, which have a two-way domain trust to domain ad.local.

Now we are migrating users from ad.contoso.com and ad.fabrikam.com to ad.local. We want to let users login on the new domain ad.local with their UPN email username, likeuserid@fabrikam.com and userid@contoso.com.

We've enabled UPN Suffix routing for *.fabrikam.com and *.contoso.com. There where succesfully added, enabled and not in conflict status.

From a workstation in ad.contoso.com, we can log in with ad.local user using the UPN userid@fabrikam.com.

However, we are not able to log in with the UPN userid@contoso.com. Is this because the forest root is called fr.contoso.com and therefor not routing to ad.local? 

I hope I described the problem clearly! If not, please let me know!

Error on users changing passwords "mutual authentication failed . the server's password is out of date at the domain controller".

January 20, 2015, 8:38 am
$
0
0

my apologies if this question has already been raised in this forum before :i have migrated users to domain setup . The DC is running  on 2008 server.Everything looked good until the end user passwords started expiring .  ALL end users are not able to change the passwords (especially when they have expired ). They are getting an error with the message : " mutual authentication failed . the server's password is out of date at the domain controller".

i am forced to change the users' passwords at the domain controller . To say this has been a real challenge  will be an understatement. How do i sort out this problem?

 

Access to remote share possible, subfolders denied/invisible

January 29, 2015, 7:49 am
$
0
0
Hi all.
 
We encounter a really strange problem here... And I'd be _really_ glad
for any help.
 
Scenario:
 
Forest A holds all user accounts. In Forest B we have a terminal server
farm (6 servers). A and B share a bidi forest trust. All servers are
2008R2 en-us, fully patched.
 
All of a sudden, on ONE of the terminal servers users cannot access
network resources residing in either A or B anymore. All other servers
work fine.
 
More diagnosis on the affected server: Accessing a share is possible -
doing "dir \\server\share" lists all subdirs on this share. Doing a "dir
\\server\share\subdir" returns - nothing but <SUBDIR>. The "<..>" and
"<.>" are missing.
 
Similar with icacls: \\server\share works and returns all ALC entries.
\\server\share\subdir returns "access denied". This behaviour applies to
all \\servers\shares in both domains, but - as said - only from this one
terminal server.
 
Doing the "dir" thing in "psexec -s cmd" - surprise - works!!!
 
Checking ACLs on the remote server reveals nothing - all ACLs on
"subfolder" are properly inherited from "share". And "share" permissions
are correct, too.
 
Capturing a both side network trace didn't reveal anything useful - this
is the essential part of the dir command, run against \\DC\GPOBackup\GPOs:
 
14:35:18.6694487    142    14:35:18 29.01.2015    5.2643509    cmd.exe
(16172)    TS    DC    SMB2    SMB2:C   QUERY DIRECTORY (0xe),
FID=0xFFFFFFFF00000051, File=gpos
14:35:18.6700278    143    14:35:18 29.01.2015    5.2649300    Idle (0)    DC    TS    SMB2
SMB2:R   QUERY DIRECTORY (0xe)
14:35:18.6708810    144    14:35:18 29.01.2015    5.2657832    cmd.exe
(16172)    TS    DC    SMB2    SMB2:C   QUERY DIRECTORY (0xe),
FID=0xFFFFFFFF00000051, File=gpos
14:35:18.6713223    145    14:35:18 29.01.2015    5.2662245    Idle (0)    DC    TS    SMB2
SMB2:R  - NT Status: System - Warning, Code = (6) STATUS_NO_MORE_FILES
QUERY DIRECTORY (0xe)
 
(The subfolder "GPOs" contains about 50 subfolders with GPO backups, so
"status_no_more_files" is wrong.)
 
Why does the remote server tell that there are no more files? And why
doesn't it do so when being accessed from a different source server? Or
from the erroneous server not as user, but as the server account?
 
In addition: It "looks" a little like ABE kicks in - we see subdirs on
share level, but we cannot access them. But then again, the question is:
Why only from one terminal server and not from the others?
 
We are stuck and short before opening a support call with Microsoft.
 
I'd be glad and thankful for any hint where we can do research and find
the root cause. We had this error two times in the past in different
environments, and reinstalling the affected server did NOT resolve the
issue. We finally decommisioned and created a new machine.
 
And if more information can help, I will provide it :)
 
 
Martin

Mal ein GUTES Buch über GPOs lesen?

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Is NIC Teaming in Windows Server 2012 R2 supported for Domain Controller ?

January 30, 2015, 1:40 am

Finding out when an AD user account is deleted

January 29, 2015, 12:14 pm
$
0
0

All:

Once a user account is deleted from AD, is there any way to query AD and find out what date the account was deleted? 

Thanks in advance.

Viewing all 31638 articles
Browse latest View live
Search