event id 10154 - effects?

February 6, 2015, 5:25 am

Hi,

On new server 2008 R2 DCs, we see event ID 10154:

The WinRM
service failed to create the following SPNs: WSMAN/testserver.testdomain.xyz;
WSMAN/dchostname.

Additional Data
The error received was 8344: %%8344.

The fix is here : https://social.technet.microsoft.com/Forums/windowsserver/en-US/ff42d97f-8c52-4ddc-93a2-6ae79498e3d5/the-winrm-service-failed-to-create-the-following-spns and here http://www.ceyhunkirmizitas.net/microsoft/windows-server/event-id10154-the-winrm-service-failed-to-create-the-following-spns-wsman/

I know this appears as a warning rather than an error but would anyone know what exactly is affected as a result of the Network Service account not having the “Validated Write to Service Principal Name” permissions? Would not fixing the permissions as per the fixes result in AD operations being affected? This pops up on every 2008R2 DC.

Thanks very much,

↧

Event ID 36886

February 6, 2015, 4:07 am

≫ Next: DC/DNS settings and slow start up.

≪ Previous: event id 10154 - effects?

Hi,

I'm looking at an environment which is as follows:

1 W2K3R2 DC - DC1 - All FSMO roles here. Has certificate issued by the local Enterprise CA server.

1 W2K8R2 DC - DC2 (This DC was migrated from W2K3R2 to W2K8R2 recently. Same name and IP were kept. has third party SSL cert installed for Mimecast LDAPS).

1 WK28R2 DC -DC3 (This DC was migrated from W2K3R2 to W2K8R2 recently. Same name and IP were kept. No Certificate in Computer>Personal certificate store.

There is a local Enterprise CA setup on W2K3R2. Looking at the Enterprise CA, I can see that the old DC3 (when it was W2K3R2) was being issued DC certificates from the CA. There is a certificate enrolment policy defined in GP.

I am seeing event ID 36886 on DC3. (No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.)

As per http://support.microsoft.com/kb/261196 the event 36886 is expected if there is no CA in the domain. In this case, there is a CA and it seems it was issuing certicates to the old DC3.

1) Am I correct in presuming that DC2 is not getting these errors as it has a third party SSL cert installed?

2) Is there any need to request the cert from the domain CA for DC3 or will AD, etc. work correctly, given that this is the only DC that doesn't have a cert? Will clients and servers require me to obtain a certificate for DC3?

3) If I need to request and install a cert, should I create a request using the command line or simply go to mmc>certificates snap in (local computer)>personal and request a certificate? When I do this, I get an option to choose the enrolment policy :Configured by Administrator (Active directory enrolment policy) or 'Configured by you'. The Active Directory enrolment policy only has the 'Domain Controller' policy available. Clicking on details>properties gives me several options such as friendly name, etc that I can fill in. Is there any need to fill in any details?

Thanks,

↧

DC/DNS settings and slow start up.

February 6, 2015, 5:06 am

≫ Next: ADFS - There are no more endpoints available from the endpoint mapper

≪ Previous: Event ID 36886

Hi,

I have a scenario with 4 DCs. Three of them are DNS servers.

DCA (DNS/DC W2K3R2): 192.168.1.1 (all FSMO Roles here. Also GC).. Primary DNS 192.168.1.1 (itself), Secondary DNS 192.168.1.3

DCB (DNS/DC W2K8R2): 192.168.1.2 (GC). Primary DNS 192.168.1.1, Secondary DNS 192.168.1.2 (itself)

DCC (DNS/DC W2K3R2): 192.168.1.3 (GC). Primary DNS 192.168.1.1, Secondary DNS 192.168.1.3 (itself)

DCD (DC only W2K8R2): 192.168.1.4 (GC): Primay DNS 192.168.1.1, Secondary DNS 192.168.1.3

I have only tried this with DCB:

On DCB, if I keep itself as primary (192.168.1.2) and DCA (192.168.1.1) as secondary DNS and I restart DC2, it takes a long while to come up. After it comes up, if I check the logs, I see several errors :

Event id: 14550 (DFSSvc),

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

Event ID: 129 (Time-service)

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

Event ID: 5719:

This computer was not able to set up a secure session with a domain controller in domain exampledomain due to the following:

There are currently no logon servers available to service the logon request.

This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

Event ID: 1129 (Group Policy):

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

After some time, the errors seem to go away and I will see event id 37 (time service), event 1503 (group policy), etc. My questions are as follows:

1) Is the above behaviour the 'islanding' behaviour described here: http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest

2) Based the article, for DCB and the other DCs, I should not have them pointing to themselves as primary DNS but as secondary or tertiary DNS. So DCB should point to DCA or DCC for primary DNS and itself as secondary. When I do this, none of the errors above occur. Is this true of the DC that holds all the FSMO roles as well? Should it have DCC (for example) as primary DNS and itself as secondary DNS?

3) All FSMO roles are on DCA. DCA is also a GC. Is this ok given that all DCs are GCs? This is a one domain environment and the and forest are at Windows 2003 level.

Thanks very much,

↧

ADFS - There are no more endpoints available from the endpoint mapper

February 20, 2015, 12:25 pm

≫ Next: DFS replication service not start due to DCOM 10010 error

≪ Previous: DC/DNS settings and slow start up.

I'm attempting to configure Active Directory Federation Services 3.0 on a Windows Server 2012 R2 virtual machine. I am running the AD FS Federation Server Configuration Wizard, but the wizard fails on the step "Configure service settings" with the following error message:

An error occurred during an attempt to perform the configuration task: There are no more endpoints available from the endpoint mapper

I have turned off the Windows Firewall on the local server. Additionally, I have created a firewall rule on all domain controllers that allows all traffic from the ADFS server. There are no network-based firewalls in between the ADFS server and the domain controllers.

Do you have any suggestions for troubleshooting this issue?

↧

DFS replication service not start due to DCOM 10010 error

February 21, 2015, 5:32 am

≫ Next: Move Object between OUs

≪ Previous: ADFS - There are no more endpoints available from the endpoint mapper

MY Domain Controller 2012 had an Antivirus, I uninstall it some reasons after uninstalling my server's following services not started:

1. Server service

2. DFS replication service

3. Netlogon service

My observation I found many antivirus entry still now in my Active Directory registry. I manually delete these registry entry.

after deleting these entries and restarting my domain controller my Active Directory "server" service start but DFS and Netlogon services not started automatically I try to start these manually and it had been successfully started. Again I restart my Domain Controller but same result DFS and Netlogon not started automatically. I found my Domain Controller randomly generate the following DCOM error:

The server {84AC6BE7-8CF2-4E67-A80E-32ACD3D7C381} did not register with DCOM within the required timeout

How can I solve the problem? Thanks.

Babu

↧

Move Object between OUs

February 20, 2015, 3:03 pm

≫ Next: Windows Updates Patches Causing issues

≪ Previous: DFS replication service not start due to DCOM 10010 error

Hi Folks

I wonder if it is possible to use Delegate Control Wizard to delegate permission to users to move objetcs (users) between OUs.

Thanks

Wilsterman Fernandes

↧

Windows Updates Patches Causing issues

February 20, 2015, 4:32 pm

≫ Next: Can I take snapshot for only one domain controller in Proof of Concept Environment

≪ Previous: Move Object between OUs

I have a concern with patching some of my servers due to the patches potentially breaking or causing issues with my SOftware.

Is anyone aware of issues with the last round patches from Microsoft on the following software:

1) Genetec 5.2

2) AD 2008 R2.

3) VI Enterprise 4.3

Matt Burgos

↧

Can I take snapshot for only one domain controller in Proof of Concept Environment

February 21, 2015, 5:47 am

≫ Next: DNS Server Service Event ID 4000

≪ Previous: Windows Updates Patches Causing issues

I have setup POC environment which include ONLY one windows 2008 R2 domain controller, one windows 2008 R2 member server and one windows 7 Pro in vmware workstation for testing. Could I take snapshot for the domain controller during testing if only one domain controller exists in domain environment?

Are there any side effects for the domain controller if I take snapshot?

As far as I know, we can't take the snapshot on any domain controllers when there are at least two domain controllers in domain environment.

Thank you for your kind assistance.

↧

DNS Server Service Event ID 4000

February 21, 2015, 9:25 am

≫ Next: ADFS Forms Authentication not continuing after proper sign in.

≪ Previous: Can I take snapshot for only one domain controller in Proof of Concept Environment

Dear All,

Windows 2008 r2 additional dc generate error

"The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code." event id 4000

pls help

event id 1206

Active Directory Web Services was unable to determine if the computer is a global catalog server.

SUNIL PATEL SYSTEM ADMINISTRATOR

↧

ADFS Forms Authentication not continuing after proper sign in.

February 21, 2015, 11:38 am

≫ Next: ADFS 3.0 Config with Relying Party Trust

≪ Previous: DNS Server Service Event ID 4000

I have ADFS deployed and setup and it's working great. It is also connected to Azure.

With internet explorer I can sign on via windows auth. I cannot sign on with chrome or firefox with forms. If I set auth to forms only and I use internet explorer it prompts me for login instead of actually using the form.

If I enter an incorrect password it displays an error like normal. However if I enter my account correctly. It just goes back to the forms page like I just got there. The password is blank and it does not continue. No errors in the event log unless I use a bad password.

This is the same for the test page or normal auth. Not sure what else to check.

Thank you

↧

ADFS 3.0 Config with Relying Party Trust

February 21, 2015, 12:17 pm

≫ Next: there is no trust relationship between this workstation and primary dc

≪ Previous: ADFS Forms Authentication not continuing after proper sign in.

To Whom It May Concern,

I have setup a new ADFS 3.0 dev environment and added a relying party trust for a vendor we are working with. The relying party has been configured and the proper claims are provided. However, when we attempt to authenticate the service providers software is providing an error once I hit sign in on the ADFS page that states :

Controller: saml20
Action: Index
Exception: The property 'SpClaimType' cannot be set to a null value.

Everything looks to be setup correctly, so I cant figure out whether this is an issue caused by our identity provider or from the service provider. Any feedback is greatly appreciated.

↧

there is no trust relationship between this workstation and primary dc

February 18, 2015, 11:29 pm

≫ Next: Restore AD on Windows 2012 R2

≪ Previous: ADFS 3.0 Config with Relying Party Trust

first question

what is reason for this message (there is no trust relationship between this workstation and primary dc)

and i found this happened on apc which is shutdown yesterday and today have the error !! i mean not 30 day this computer didnt open

second question

i want to solve centeralized from domain which mean i dont go to this pc locally to rejoin to domain ineed apowershel comand any thing helping in solving centeralized

↧

Restore AD on Windows 2012 R2

February 21, 2015, 11:00 pm

≫ Next: Active Directory Site Links

≪ Previous: there is no trust relationship between this workstation and primary dc

Hello There,

I have got a Windows 2012 Server Trial edition running with AD Services and it is a Domain Controller.

This is a VM.

I want to move this AD environment to production on Windows 2012 R2 licensed server but i am phasing some issues.

I have tried the following.

1 - Installed Windows 2012 R2 and made it an ADC transferred all the FSMO roles including Schema & Domain Naming but the ADC is having replication issues the Netlogon & Sysvol are not being created.

2 - Installed a fresh OS windows 2012 R2 on a new VM on seperate network and tried restoring AD backup from Windows 2012 but it doesn't work because of version difference.

so none of the above options worked Please suggest.

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

↧

Active Directory Site Links

February 21, 2015, 8:27 pm

≫ Next: ADFS, Unable to login to the app once the relying party trust is created

≪ Previous: Restore AD on Windows 2012 R2

Hi All,

Do you have to have dedicated WAN link between to sites in order to use Site Links in AD SS? Can you just have the two locations with internet access out, have the subnets configured in the routing tables of the router and configure the site links to have good AD replication?

Francisco Mercado Jr.

↧

ADFS, Unable to login to the app once the relying party trust is created

February 22, 2015, 10:17 am

≫ Next: Custom Administrative Template Error 53 Key name specified more than once

≪ Previous: Active Directory Site Links

Hi All

I am trying to create a relying party trust for 3 different applications which includes ACS and php. After creating the relying party trust when I try logging into the applications I get the SSO page but once I put in the test credentials I get the error as shown below.

There was a problem accessing the site. Try to browse to the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

Reference number: 73a600c8-7d23-45a4-b1b0-e1632219e39f

I have tried many different things for this issue starting from the claims till the proxy servers.

Please some one help me with the resolution.

Regards

Sanjith S

↧

Custom Administrative Template Error 53 Key name specified more than once

February 17, 2015, 4:07 pm

≫ Next: Bulk update 'manager' AD attribute from CSV containing samAccountNames (of user with respective manager)

≪ Previous: ADFS, Unable to login to the app once the relying party trust is created

Hi All,

Hope I've picked the correct forum. I am making my first foray into setting up a custom administrative template for some software that is developed in house. The current deployment method is to merge a reg file on each computer that requires the registry settings. I am trying to set this up so that it is controlled via GPO.

My idea is that in the a GP can set the registry settings for one or more areas that are controlled by the software.

The problem I have - I get Error 53 Keyname specified more than once on Line 9 (second KEYNAME). In total I will have about 30 different sites this needs to be set up for.

Does this mean that I can't set more than one registry key per "Policy" setting in the GPO?

The adm file I have so far is below

TIA

Jason

---------------------------------------------CUT---------------------------------------------

CLASS User
CATEGORY "App Site Settings"
	POLICY !!Site1Policy
		EXPLAIN !!Site1Explain
		KEYNAME "Software\ApplicationCompany\Site1\Access"
			VALUENAME "SystemDatabase"
				VALUEON "D:\\App\\Data\\App.mdw"
				VALUEOFF DELETE
		KEYNAME "Software\ApplicationCompany\Site1\Arbitration"
			VALUENAME "ConfigPath"
				VALUEON "D:\\Site1\\Data"
				VALUEOFF DELETE
		KEYNAME "Software\ApplicationCompany\Site1\Common Settings"
			VALUENAME "ConfigFile"
				VALUEON "D:\\App\\Data\\App_Comms.mdb"
				VALUEOFF DELETE
			VALUENAME "SysConfig"
				VALUEON "D:\\Site1\\Data\\SITE1_SYS.mdb"
				VALUEOFF DELETE
	END POLICY
	POLICY !!Site2Policy
		EXPLAIN !!Site2Explain
		KEYNAME "Software\ApplicationCompany\Site2\Access"
			VALUENAME "SystemDatabase"
				VALUE "D:\\App\\Data\\App.mdw"
		KEYNAME "Software\ApplicationCompany\Site2\Arbitration"
			VALUENAME "ConfigPath"
				VALUE "D:\\Site2\\Data"
		KEYNAME "Software\ApplicationCompany\Site2\Common Settings"
			VALUENAME "ConfigFile"
				VALUE "D:\\App\\Data\\App_Comms.mdb"
			VALUENAME "SysConfig"
				VALUE "D:\\Site2\\Data\\Site2_SYS.mdb"
	END POLICY

END CATEGORY

[strings]
Site1Policy = "Site1 settings"
Site1Explain = "Enabling this setting configures the registry settings for dummy Site1."
Site2Policy = "Site2 settings"
Site2Explain = "Enabling this setting configures the registry settings for dummy Site2."

↧

Bulk update 'manager' AD attribute from CSV containing samAccountNames (of user with respective manager)

June 2, 2013, 1:10 am

≫ Next: Folder creation and Permission across domains

≪ Previous: Custom Administrative Template Error 53 Key name specified more than once

Hi,

I have a CSV. Contents are below:

______________________________________________

samAccountName,manager

user1SamAccountName,user1Manager_samAccountName

user2SamAccountName,user2Manager_samAccountName

user3SamAccountName,user3Manager_samAccountName

______________________________________________

My objective is to bulk update 'manager' AD attribute from CSV containing samAccountNames (of user with respective manager).

What will be the PowerShell (Microsoft, Quest) for it?

Thanks,

Faisal

↧

Folder creation and Permission across domains

February 22, 2015, 11:09 pm

≫ Next: Secondary Domain Controller Not Authenticating Domain Users

≪ Previous: Bulk update 'manager' AD attribute from CSV containing samAccountNames (of user with respective manager)

Hello Everyone,

We have 2 different Forest root domain.
Domain 1 and Domain 2.

i want a folder to be a created in domain 2 and assign permission to the folder and add users from both domain 1 and domain2.

I created a Domain Local group in Domain 2 added to the folder and set permissions. Created one Domain Global group in domain 2 and added users. I created another domain global group in Domain 1 added the users.

Now i want to add both the Domain Global Groups to the Domain Local Group have access of the folder to both the domain members.

Somehow i am not able to add the Domain Global Group of Domain 2 to the Domain Local Group of Domain 2.

I think the DLG group should be access through different domains.

Please suggest.

Thanks in Advance.

↧

Secondary Domain Controller Not Authenticating Domain Users

February 22, 2015, 4:05 pm

≫ Next: Where is the Group Policy Tab gone.

≪ Previous: Folder creation and Permission across domains

Hi.

I have a primary domain controller running Win Srv 2012 in USA and i added a secondary domain controller 2012 in the same domain from a different location India, through VPN.so that India user accounts can authenticate by the secondary DC instead of primary DC USA

Installation & replication of AD went fine

India domain users login is damn slow.

When i ran the command echo %logonserver% from a india client machine,it displays the USA Primary DC name which means its authenticating the users from USA primary DC.

Preferred DNS for india client machine is Secondary DC IP and alternate is Primary DC IP USA.

Please find the dcdiag results below and any help much appreciated

Performing initial setup:
Trying to find home server...
Home Server = server2
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: INDIA\server2
Starting test: Connectivity
......................... server2 passed test Connectivity

Doing primary tests

Testing server: INDIA\server2
Starting test: Advertising
Warning: DsGetDcName returned information for \\server1.tst.mycompany.com, when we were trying to reach
server2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... server2 failed test Advertising
Starting test: FrsEvent
......................... server2 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after th
replication problems may cause Group Policy problems.
......................... server2 failed test DFSREvent
Starting test: SysVolCheck
......................... server2 passed test SysVolCheck
Starting test: KccEvent
......................... server2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... server2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... server2 passed test MachineAccount
Starting test: NCSecDesc
......................... server2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\server2\netlogon)
[server2] An net use or LsaPolicy operation failed with error 67,
......................... server2 failed test NetLogons
Starting test: ObjectsReplicated
......................... server2 passed test ObjectsReplicated
Starting test: Replications
......................... server2 passed test Replications
Starting test: RidManager
......................... server2 passed test RidManager
Starting test: Services
......................... server2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0xA004001B
Time Generated: 02/22/2015 17:10:30
Event String: Intel(R) 82574L Gigabit Network Connection
A warning event occurred. EventID: 0x000727A5
Time Generated: 02/22/2015 17:11:24
Event String: The WinRM service is not listening for WS-Manageme
An error event occurred. EventID: 0x0000271A
Time Generated: 02/22/2015 17:11:24
Event String:
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not regist
A warning event occurred. EventID: 0xA004001B
Time Generated: 02/22/2015 17:12:41
Event String: Intel(R) 82574L Gigabit Network Connection
A warning event occurred. EventID: 0x000003F6
Time Generated: 02/22/2015 17:19:36
Event String:
Name resolution for the name mycompany.com timed out after none
A warning event occurred. EventID: 0x00001796
Time Generated: 02/22/2015 17:28:54
Event String:
Microsoft Windows Server has detected that NTLM authentication i
his server. This event occurs once per boot of the server on the first time
A warning event occurred. EventID: 0x000727A5
Time Generated: 02/22/2015 17:33:35
Event String: The WinRM service is not listening for WS-Manageme
A warning event occurred. EventID: 0x00001796
Time Generated: 02/22/2015 17:35:54
Event String:
Microsoft Windows Server has detected that NTLM authentication i
his server. This event occurs once per boot of the server on the first time
......................... server2 failed test SystemLog
Starting test: VerifyReferences
......................... server2 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValida

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValida

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidat

Running partition tests on : tst
Starting test: CheckSDRefDom
......................... tst passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... tst passed test CrossRefValidation

Running enterprise tests on : tst.mycompany.com
Starting test: LocatorCheck
......................... tst.mycompany.com passed test LocatorChec
Starting test: Intersite
......................... tst.mycompany.com passed test Intersite

↧

Where is the Group Policy Tab gone.

January 31, 2012, 8:47 am

≫ Next: Using dirsync is it possible to get the child domain changes from the global catalog in Active Directory

≪ Previous: Secondary Domain Controller Not Authenticating Domain Users

I have read this in a reference book:

To create and enable a roaming profile for a specific user, follow these steps:

1. On the domain controller, start Active Directory Users and Computers. (Choose Start➪Control Panel➪Administrative Tools➪ Active Directory Users and Computers.)
2. In the console tree, right-click the domain or organizational unit for which you want to set a policy and choose Properties.
3. Click the Group Policy tab.

But I can't see the (Group Policy tab.)

Luai

↧