Hi,

Am getting below error while adding machine to domain

C:\>netdom join W2K12R2-DC-161  /domain:winvm.com /userd:Administrator /passwordd:cvm@123 /REBOOT 

The administrative limit for this request was exceeded.

The command failed to complete successfully.

Even while trying to delete  some entries from registry gives below error

---------------------------
ADSIEdit
---------------------------
Operation failed. Error code: 0x2024
The administrative limit for this request was exceeded.


00002024: SvcErr: DSID-0215030C, problem 5008 (ADMIN_LIMIT_EXCEEDED), data -1069

---------------------------
OK   
---------------------------

Please help me urgently

I have searched on below links but could not get the correct workaround steps

https://social.technet.microsoft.com/Forums/windowsserver/en-US/83087f21-ba51-414d-9202-badea56ba83b/administrative-limit-was-exceeded

https://social.technet.microsoft.com/Forums/en-US/fea67c92-8dab-4711-8579-baaee4bca3f7/the-administrative-limit-for-this-request-was-exceeded?forum=identitylifecyclemanager

Nilesh Savant

Hi,

In my research on this I haven't found anything saying I can't do this but I thought I'd be safe and ask the question.

I currently have a Windows Server 2008 domain running at the Windows Server 2008 level (domain and forest).  I've got three domain controllers - one physical and two virtual.

I'd like to start moving to the two virtual domain controllers to Windows Server 2012 R2 so that I can eventually move the entire domain to the Windows Server 2012 R2 level.  The plan is to setup two new virtual Windows Server 2012 R2 domain contollers and then remove the two Windows Server 2008 domain controllers.

So my question is, Is it safe to add the two new Windows Server 2012 R2 domain controllers to my Windows Server 2008 level domain?  I know the domain will still be at the Windows Server 2008 level until I remove the last Windows Server 2008 domain controller but will I have any problems with having one domain controller running Windows Server 2008 and the other two running Windows Server 2012 R2 while I'm waiting to upgrade the last Windows Server 2008 domain controller?

Thanks in advance.

Nick

Hi,

I'm trying to setup Kerberos SSO authentication for the CIFS connector of an Alfresco instance running on Linux server.

This works usually fine, but I'm facing a strange issue for a specific deployment in a 2008R2 domain (No SPNEGO response, Kerberos logon failed ).

After analysis and network capture, I saw that there is mix between lower/upper case in the domain name which may cause the issue.

The domain name is MYDOMAIN.loc

What is see in network capture:

- client is requesting TGS to DC with

       realm: MYDOMAIN.LOC and

       KerberosString (from ticket.sname.name-string): cifs

       KerberosString (from ticket.sname.name-string): alfrescoserver.MYDOMAIN.loc

- client receive TGS from DC with same parameters

- Ticket is refused by the alfresco server

      I thing that its configured realm MYDOMAIN.LOC does not match the Kerberos string

When trying to configure MYDOMAIN.loc on the alfrescoserver, the server fails to obtain TGT as

the AS response contains again a mix of MYDOMAIN.LOC (realm name) and MYDOMAIN.loc (from ticket.sname.name-string)

I'll try to reproduce this in another new fresh domain.

Do this make sense for you ?

Should I need to change the domain/realm name from MYDOMAIN.loc to MYDOMAIN.LOC ?

How to do that ?

Thanks,

Vincent

Hi,

since one night i receive the following error message on all member Server in a branch office for a special subent.
Other Member server i a different subnet are not getting these errors. Before those member servers (new setup)
worked fine for about 2-3 Month:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          09.10.2013 02:47:27
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc01$.
The target name used was cifs/dc01.local. This indicates that the target server
failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN)
is registered on an account other than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This error can also happen when the target
ervice is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC)
has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password.
If the server name is not fully qualified, and the target domain (domain.local) is different from the client domain (domain.local),
check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

These servers have no routing to the local Domain Controllers, instead they contact the DCs at the main office. So the
KRB_AP_ERR_MODIFIED error is coming from both DCs at the main office, not specific to one pc.

Effects that i have:
- no logon with RDP possible (wrong username or password)
- Service which Relay on Kerberos Auth have Problems

So when i reboot the server in most cases its working again for some time. I also find out, when deleting the cached
Kerberos Tickets with kerbtray its working.

Any ideas what could cause the problem. As mentioned, it happend for all member servers in this subnet starting in the
same night. As always, nothing was changed ;)

BR,
Marco

We run Active Directory at a Windows 2008r2 functional level with all 2008r2 DCs. We have an inordinate number of domain admins right now and we're beginning a process of reducing that number. As the AD sys admin, I've been tasked with delineating all of the rights and privileges that come with being a domain admin (member of the Domain Admins security group). This approach makes sense from a management perspective, since we can take this list of rights to people who have dom admin rights but who are not as familiar with Active Directory and ask them line by line "Do you need this?" The goal being that when they say "no" to any item on the list, we can use that as leverage to revoke Dom Admin rights and create more appropriately delegated security groups. 

Here's the rub. Pretty  much everything I have ever read on AD just gives me some version of "Domain Admins can do everything" without quantifying what "everything" includes.

At the least, I need a list of things in the environment they have access to. Here's what I can think of off the top of my head:
Local admin on all domain-joined computers (includes its own list of rights)
Admin access to all file shares on the network
Remote Desktop access to all domain-joined computers
Active Directory Users and Computers
AD Sites and Services
AD Domains and Trusts
DHCP administration
DNS administration
Group Policy
DFS administration
Event Logs on all domain-joined computers

Things a dom admin can't do:
Update the Schema (Schema Admins)
Any administration on other domains in the forest (Enterprise Admins)

What else would go on this list? Or where can I find this information in a concise format suitable to this task? If I can't get this broken down into a simple list, then I'm pretty much left with handing my boss a 500 page textbook on AD Administration and saying "This is what Dom Admins can do" - which doesn't help us accomplish our goal.

Greetings,

I have a Single Forest/Single Domain configured with 17 sites. We are currently in 2003 native mode, but are upgrading to 2102R2. The schema has been upgraded and 3 site have been moved to 2012R2 domain controllers.

Each site has one domain controller, most are 2003 but the FSMO roles are on a Windows 2008R2 domain controller in Site1.

Our network is a mesh, but many site have different bandwidth speeds. In this case, Site3 has a 6mb connection to the network.

When I upgraded site3, I couldn't add the renamed replacement server to the domain. The demotion proceeded properly and the objects were removed from sites and services. I found I had problems with duplicate SPNs which were solved by removing the old and new servers from AD. I still had problems with the new server and found that replication was now broken. We traced it down to to corrupt automatically generated site connectors that all still pointed to the now missing site3 domain controller. I was able to setup manual replication connectors and then regenerate the automatic connectors, which now pointed to the (in my opinion) proper servers. I only have one manually created site connector to minor site that is not part of the mesh.

This behavior was noticed back in late 2012 when another replication problem occurred during maintenance and was fixed.

This morning I was working on Site4 when I noticed that all the automatically generated site connectors switched back to the new Site3 domain controller.

Can anyone help me determine why the system seems to prefer site3 as a hub. Is there some setting stuck or configured that would make site3 preferential? I want to avoid more down time if site3 has a problem.

Thanks

Derek

Hi All,

  We are having intermittence disconnection to forest trust and when i run the following command found this

nltest /sc_verify:external.com

Flags: 80
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
Trust Verification Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

We have 5 DC's and  only one cause this issue.

As

Hii All,

i have a problem in our customer, i have Windows 2008 R2 cannot join to the domain, i got the error "The Network Path was not Found"

and when i try to join domain using PowerShell, i got this error

anyone have same problem with me?. kindly share if you have same problem.

thanks all :)

A few weeks ago I enabled DNS scavenging on our DNS servers to clean out stale A records. That same afternoon we found that most of our Windows servers lost their dynamic host records and we spent that evening running IPCONFIG /Registerdns and fending off calls asking 'What happened?"

Three weeks later our systems are back to normal BUT is see that about 1/3 of our server again have old DNS timestamps, some dating back to when we forced DNS re-registration.  I assume that enabling DNS scavenging again would result in another sleepless night.

My understanding is that NETLOGON is responsible for keeping dynamic DNS records current and runs every 24 hrs. Some documentation discusses the Registry subkey 'DefaultRegistrationRefreshInterval ' but none of my servers (either good or bad) have this key.  How can I troubleshoot this issue? 

See here

All thoughts and direction would be greatly appreciated.

Hi,

So, I have a windows server 2003 DC which has been working fine for a while. Recently, I've been seeing a user who is repeatedly locked out and it appears to happen when he first logs in in the morning and sometimes throughout the day for no apparent reason.

I installed and ran the lockout monitor from microsoft but it hasn't been very helpful. This is the only thing I've noticed in the NetLog:

02/04 09:01:20 C1: NO_CLIENT_SITE: MPC 10.1.1.25
02/04 09:01:20 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:20 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.25
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:22 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:23 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:23 C1: NO_CLIENT_SITE: MPC 10.1.1.31
02/04 09:01:23 C1: NO_CLIENT_SITE: MPC 10.1.1.31

When it last locked out, the Lockout tool had the Bad Pwd Count at "50".  So far, I've tried the following without any luck.

-Deleted and re-created the user account with the same username (in case of a corrupted UID)
-Gave him a new laptop (the problem followed)
-The IP address associated in the log matches his new laptop
-Checked and verified that there are no windows passwords currently in his credentials manager.

Not sure what else I can do. Other than possible creating him a new account with a different username.

Any ideas?? This is driving me insane!

Hi *.*,

Even though I have been working with AD for some years, I have now one of the werdiest errors I have ever faced. To point it out quickly, AD features:

• 1 forest, 4 domains.
• 44 DCs, most of them running in Windows Server 2003 SP2. About 2 DC running Windows Server 2008 R2.
• Functional Level: Windows Server 2003
• All of them working correctly, according to dcdiag.exe
• Database file integrity and semantic analysis are OK

However, as soon as we add a new DC to any domain of the forest, problems begin:

1. Primary replication works perfectly and the DC receives all the data.
2. After promoting the computer restarts and I get three KCC warnings in the event log.
3. No more replication happens after promotion, as there is no replication partners; Domain Controller is not functional at this point. Some replication works if I add the partners manually, but the KCC error persist.

The following errors can be seen in the Event Viewer, the three of them each 15 minutes:

================== Event ID 1014
The Knowledge Consistency Checker (KCC) failed to update the replication topology for the local directory service. The KCC will attempt to update the replication topology at the following scheduled interval.

KCC update interval:
900

By default, updates occur every 15 minutes.

User Action
If this continues to occur, restart the directory service.

Additional Data
Error value:
8409 A database error has occurred.
Internal ID:
f0700cb

================== Event ID 1663
The Knowledge Consistency Checker (KCC) did not initialize its configuration cache.

This operation will be tried again later.

User Action
If this condition continues, restart the directory service.

Additional Data
Internal ID:
f1000d2

================== Event ID 1435
The Knowledge Consistency Checker (KCC) encountered an unexpected error while performing an Active Directory Domain Services operation.

Operation type:
KccSearch
Object distinguished name:
CN=Partitions,CN=Configuration,DC=domain,DC=com

The operation will be retried at the next KCC interval.

Additional Data
Error value:
1 0000206F: AtrErr: DSID-031200EB, #1:
	0: 0000206F: DSID-031200EB, problem 1003 (UNDEFINED_ATT_TYPE), data 0, Att 907af (Not in cache!)

Internal ID:
f030308

Any idea or advice are very welcome :)

We currently create accounts on our domain when external users from other domains need access to multiple resources such as SharePoint and VPN access.  The users have to log on using an account from our domain and maintain the password.

One of the reasons we have this is so we have control on the number of accounts and can control which groups the user is a member of.

We do not want to set up domain trusts, so we would like to set up AD Federation wit our business partner's domains so that users of those domain can access the resources on our domain using  their existing domain user accounts instead of needing us to create accounts on our domain for them.

However, with Federation, how do you restrict the total number of users or even restrict access by specific user and add to groups?  We would not want any user from any domain we set up federation with to have access to exactly the same items as every other use from their domain.  We also do not want an unlimited number of AD Federation users to sign into our resources.

I have a requirement to create user accounts in AD and to setup these users with an exchange email account which will only be accessible through the web OWA (users are using their own personal PC's or smart phones to access from Outside our domain).  However, these users need to be blocked from accessing any other Domain resources such as network files/folders/etc. if they ever got the chance to hack/access our secure network.

To simplify my life as an admin, since I have over 350 of these users, I have created an AD OU to separate these objects.  Is there anyway to allow the OU access to only email, specifically the OWA, and nothing else?

Would it be better to add these users to a group and limit access for that group?

Rjobe

Good morning,

I'm getting ready to replace one of our two domain controllers in my environment.  I've already replaced one of them and now I'm getting ready to replace the other.  The one that I'm getting ready to replace holds all 5 FSMO roles.  My question is what is the process I need to follow before replacing my master domain controller?  I know I need to transfer all 5 FSMO roles to the other DC, but is there anything else I should be aware of or do prior to replacement?  Thanks in advance

We have a large farm of Windows 2012\2012 R2 boxes that I would like to migrate to group manage service accounts - majority of boxes are SQL servers, IIS and application servers. 

I thought this would have been an easy project but now I realize this is pretty involved since I would have to work closely with DBAs, and app owners on creating the new gMSA accounts and making sure they are permissioned correctly before doing the switch. 

Is there a tool or perhaps a PowerShell script that can enumerate all the rights the current service accounts have so i know how to set up the permissions on the new gMSA accoounts?

I know this might be a silly question but can the current service accounts be converted to gMSAs? 

Hey there,

i found several topcis similar to mine, but no solution for my issue, so my post over here...

We created a new domain with 4 DCs (+gc, +DNS)

We created two new sites and left the default site untouched.

Now we find the the two servers, which on installation time were part of the default-first-site, but today are member of another site recreated in the default first site?!?!
So we have that two server listed in the correct site, and in addition in the default-first.....

if we delete the entries they are recreated.....

The entries listed in the netlogon.dns on these servers are correct.

there are no subnets assigned to the default-site ....

any ideas, hints insights?!

Our Active Directory domain is olddomain.com. I have a Forward Lookup Zone for olddomain.com with CNAME, MX, and many A records. The MX record points to an internal mail server.

We just acquired newdomain.com.
newdomain.com is resolving to external DNS and it works. However, I need to route the internal mail flow of newdomain.com to our internal mail server and not have it pass out to the internet before coming back in.
I would like to add JUST the mx record for newdomain.com to DNS. All other lookups (newdomain.com,  subdomains.newdomain.com, etc) should work exactly as they do now.

I have had two thoughts how to do this, but need advice:

• Can I have all newdomain.com DNS lookups point to an external DNS, except for the one MX record?
• Can I have all newdomain.com resolve to olddomain.com IPs (including subdomains), except for the newdomain.com MX?

I tried adding a new Forward Lookup Zone for newdomain.com with just the SOA, two NS, and the MX record. This broke resolution for http://newdomain.com and http://www.newdomain.com until I added two A records. I do not want to be manually adding records for all of our newdomain.com subdomains.

What do you recommend?
Thank you in advance!

We have a W2k8R2 domain, and Windows 7 clients. For all of our Intranet website we have CNAME records in DNS.

Now users would like to connect to our intranet with there mobile devices. (Phone, Ipad)

We installed a PKI environment, and use Mobile Iron to the manage mobile devices.

We also need to enable Kerberos (negotiate) on de websites. And here the trouble starts with IIS 7. KRB_AP_ERR_Modified error. I've read a lot of articles about this error and Kerberos authentication with IIS.

One of the solutions I read, is to create an A record for the website. I did it for testing purposes, and it seems to work.. sometimes..

http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-kb911149-and-kb908209-are-not-the-soluton.aspx

But I don't like it. Pinging the ip address would resolve the servername, but some times the website.

What is my question??

Is there a situation where you would ever use a 2 A records for the same ip address? I can't think of one, but i'm not a DNS guru.

Thanks

Hi 

thanks in advance

I have a task to find out the event ID for password change

I am using domain account, when i change my account password by doing Alt+Ctrl+Del (change password)

what is the event ID will be generated on DC.

As as, when i do password change from webportals, like OWA

On which DC event will be found (I have 24 DC's across the World)

Regards

Rajesh

Rajesh Nagapuri

Hello,

We have an impending power down and I'd like some guidance on how it will affect Active Directory

• We have three sites (Site A, Site B and Site C)
• We have connectivity from Site A to Site B
• We have connectivity from Site A to Site C
• We have no connectivity from Site B to Site C

We have one root forest domain contoso.com

We have two DCs at each site

All the FSMO roles are on the DCs at Site A

Site A needs to be powered down for 12 hours

• What steps, if any, do you suggest I take?
  
  
• Can I keep the DCs on at Site B and Site C to maintain local services?
  
  
• When connectivity is restored will everything be ok with Active Directory? Will any changes successfully replicate?