I am using dirsync approach to get the change log in Active Directory. I am able to get the changes from a specific domain controller .  I tried getting the child domain changes by searching against Global Catalog which is the parent domain.

I used LDAP identifier(https://msdn.microsoft.com/en-us/library/bb534936(v=vs.110).aspx) with port 3268 which is the port mentioned for Global catalog in the following link :

https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

I used the LDAP Identifier to create the LDAP connection to the global catalog.

I tried things mentioned in the following link for dirsync -http://blogs.technet.com/b/isrpfeplat/archive/2010/09/20/using-the-dirsync-control.aspx

But this is not getting any records from the child domain.

Is there a way to get the child domain changes also by hitting the global catalog.

Hello there

Platform: Server 2008 R2 single Domain controller

A clients server above lost power with an unexpected shutdown over the week end and couldn't logon to the domain.  However they can browse the network and open shares on the server. Connections to the Active directory failed and DCDIAG reported failure to connect to the Global Catalogue server, along with other failures.  The event logs show the following:

File Replication Service

Event ID 13561 Jrnl_wrap_error

Event ID  13566 declares FRS is scanning the volume but it cannot become a domain controller until finished... which it never does.

Directory Services
Event ID 1355 The Specified domain either does not exist or could not be contacted.

Finally running net share reveal that the SysVol is Netlogon shares are not available.

First of all I looked at the common JRNL fix of changing the of changing the DWORD Enable Journal Warp Automatic Restore to 1.  But, it was already set to 1, when it should have been 0. So I am not sure what that means. I tried changing it back with FRS service restarts but to no avail.

I have seen numerous entries about recovering the sysvol, but most involve pulling copies from other DC's, of which there are none. I do have a valid Windows backup with System state and Sysvol, which I feel I may be heading with this. So are there any other paths I should be looking at, or is a restore from backup the only option?

Many thanks in advance

MIS5000

Hi,

In my research to an Exchange issue I came across a very useful cmdlet which allowed me to list all AD attributes which are enabled to be resolved by ANR in Outlook.

The cmdlet:
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext)  -SearchScope OneLevel -LDAPFilter "(searchFlags:1.2.840.113556.1.4.803:=4)" -Property objectClass, name, whenChanged,  whenCreated, LDAPDisplayName

I have some trouble understanding the searchflag. Unless you specifically the number you cannot do the search, but how to find which number is what?

I found in Adsiedit that the number is an attributeID parameter which is listed under schema objects.
e.g. ACS-Max-Peak-Bandwidth is  1.2.840.113556.1.4.767.

Is there a way I can get a list of all objects that have this parameter set?

Regards,

Szabolcs

We would like to create a security group that does most of the admin tasks that currently require adding a user to domain admins group.

Our group policies are edited very often especially as software installation packages deployed by GPO are added and removed.

This also often requires adding a deleting OUs and moving computers and users to those OUs to test software deployment or to apply GPOs to only subsets of users and computers.

Is there a way to create a role that can do all these things without being a domain admin?

We need members of this security group to be able to:

Create, delete, and modify user accounts (except domain admins), computer accounts, group polices and OUs and join unlimited numbers or computer accounts to the domain.

It would be nice if they could also unlock a locked domain admin account.

Hello,

We are doing Active directory consolidation and migration from 3 Child Domain to the another 4th Child domain.

In the 3 child domain we do have NIS and LDAP for UNIX and authentication for UNIX and UNIX based applications

I need to understand, have anyone tried Windows 2008R2 IDMU ( Identity Management for UNIX ) with the migrating UNIX MAPS, and UNIX authentications without any issue?

If yes, can you please help us with the steps and configuration?

Also, is there any other tool which can be used with the co-existence of AD Windows 2008R2 like, openLDAP, NIS?

Regards,

Swapnil

Hello, 

We have an ADFS 3.0 server, with a Claims Provider Trust configured. 
The Claims Provider signs its tokens sent to this ADFS 3.0 server with a public certificate. The CRL of this certificate is also publicly available over HTTP.  

However, when trying to perform the Certificate Revocation Check for this signature certificate, we notice that the ADFS 3.0 server is trying to get to the internetdirectly. Unfortunately, our company policy is that no device can have direct internet access, and all must passthrough a HTTP Proxy server. 
We have the Proxy local area network (LAN) settings configured in Internet Explorer on the ADFS 3.0 server, and can browse the internet without problems. However, network traces show that ADFS is still trying to go directly to the internet for its revocation checks. 

Probably this is because the HTTP Proxy server is configured on a per-user setting. 
While we are using a Group Managed Service Account for our ADFS implementation, we cannot easily log in with this service account on the ADFS server, and change the HTTP proxy configuration for the ADFS service account. 

We know we can work around this problem via the following PowerShell cmdlet, but are really looking for a better solution and letting ADFS perform the CRL check. 

Set-AdfsClaimsProviderTrust -TargetName "<IDP name>" -SigningCertificateRevocationCheck None

What is the correct way to make ADFS 3.0 perform its certificate revocation checks via the proxy server to the internet? 

Thanks!

I have a Windows 2012 R2 server in domain D. This is the namespace server for the namespace D2.

From other machines in domain D I can access \\D\D2 ok

I have machines in another domain - domain U. There is a two way trust between domain D and domain U.

I am trying to access \\D\D2 from a Windows 2003 server in Domain U but am getting the message:

"Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied"

I was under the impression this should work as there is a trust in place.

Has anyone any suggestions please?

Thanks

We are setting up and testing adfs version 3.0 on windows 2012 r2.

If I goto the following url's it works

https://adfs.domain.com/adfs/ls/idpinitiatedsignon.htm

https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml

https://adfs.domain.com/adfs/services/trust/mex

But if I goto

https://adfs.domain.com/adfs/adfs/services/trust

https://adfs.domain.com/adfs/adfs/ls

https://adfs.domain.com/adfs/adfs/ls/federationserverservice.asmx

I keep getting error 503 errors. with event log entries for 364

Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Forgot to say this is from the internal and external network I get this error

HI,

I have been doing lots of research into finally upgrading our Primary Domain Controller that is running Windows 2003 Server to a new box running Windows 2008 R2. I have already done all the preps and checks but one thing is of concern...we have on premise Exchange Server 2010 SP1 I fully understand how to promote and then decommission the new and old server. Given the Exchange Server is there anything further that must be done to ensure no malfunction?

Currently have only single domain with single DC of course as only one it holds all FSMO records.  When I bring the other onto the domain as second controller and import all FSMO's will this be ok with Exchange Server?

Thanks

Ron

Hello MS team,

Can someone from the guru AD team provide some thoughts regarding ADFS and WAP HA&DR servers design below? is this officially supported? how can I setup HA and DR for WAP proxy servers and ADFS servers latest version?

Any blogs, links with tons of screenshots to build this design?

My design as per below

Site 1

2 ADFS servers running Windows 2012 R2 server in a NLB. these server will be deployed in the internal network on Site 1

2 WAP proxy servers deployed on a DMZ network on site 1. Each server will have 2 NICs, one for the communication with internal network, and the other one with a IP address witch NAT with a public IP address

Site 2

Same as above

Franki

hi to all

i have one problem that confused me for weeks

i hope that you have solution for it

i have 2 domain in 2 forest that trust between 2 forest established and verified . 

administrator from domain a in forest a can see all objects in domain b in forest b and administrator from domain b in forest b can see all object from windows client with os 7 by admin pack installed . problem is admin from domain controller in forest b cannot see any object in domain a . i delete antivirus from 2 domain and disable firewall but problem still exist . can you help me ?

Hi all,

An interesting issue - we have 2 DC's - one Primary DC FSMO role holder/DNS Server and other Secondary DC/DNS Server that both replicate with each other. All of a sudden in the past few days we are not getting any replication occurring on DC2.

Basic tests performed through AD Sites & Services:
DC1 > DC2 replication PASS
DC2 > DC1 replication FAIL

DNS has been checked and I believe it is causing the problem on DC2.
In the Event Log on DC2, the DNS Server Service is currently smashing the event log every second of the day:
EVENT 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "%1". The event data contains the error.

We can restart DC2, and then DNS Server Service runs fine for approximately 10 minutes, replication DOES occur (new users show up in AD/passwords are matched to DC1), and then the service eventually bombs out again, causing THOUSANDS of Event ID 4015's.

on DC2: repadmin /syncall:
CALLBACK MESSAGE: Error contacting server 9694a21f-dc86-4dde-87bc-5595c3d5967e._msdcs.DC.local (network error): -2146893022 (0x80090322):
    The target principal name is incorrect.
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error contacting server 9694a21f-dc86-4dde-87bc-5595c3d5967e._msdcs.DC.local (network error): -2146893022 (0x80090322):
    The target principal name is incorrect.

on DC1: repadmin /syncall: Runs successfully.

Currently on DC1, all DCDIAG /test:DNS tests return back successfully.

Here is the output of DC2 DCDIAG /test:DNS results:

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = DC2

   * Identified AD Forest.
   [DC1] LDAP bind failed with error 8341,

   A directory service error has occurred..
   Got error while checking if the DC is using FRS or DFSR. Error:

   A directory service error has occurred.The VerifyReferences, FrsEvent and

   DfsrEvent tests might fail because of this error.

   Done gathering initial info.

Doing initial required tests

  
   Testing server: Cloud\DC2

      Starting test: Connectivity

         ......................... DC2 passed test Connectivity

  
   Testing server: Cloud\DC1

      Starting test: Connectivity

         The GUID based DNS Name resolved to several IPs

         (fd4b:49f1:f07e::1, 172.16.1.1), but not all were pingable.

         Replication and other operations may fail if a non-pingable IP is

         chosen. The first pingable IP is 172.16.1.1.
         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... DC1 failed test Connectivity

Doing primary tests

  
   Testing server: Cloud\DC2

  
   Testing server: Cloud\DC1

  
      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...

           
               Starting test: DNS

                  ......................... DC1 failed test DNS

         ......................... DC2 passed test DNS

  
   Running partition tests on : ForestDnsZones

  
   Running partition tests on : DomainDnsZones

  
   Running partition tests on : Schema

  
   Running partition tests on : Configuration

  
   Running partition tests on : DC

  
   Running enterprise tests on : DC.local

      Starting test: DNS

         Test results for domain controllers:

           
            DC: DC1.DC.local

            Domain: DC.local

                 
               TEST: Authentication (Auth)
                  Error: Authentication failed with specified credentials
                 
               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Error: No WMI connectivity
                  No host records (A or AAAA) were found for this DC

        
         Summary of test results for DNS servers used by the above domain

         controllers:

            DNS server: fd4b:49f1:f07e::1 (DC1.DC.local.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server fd4b:49f1:f07e::1              
         Summary of DNS test results:

        
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: DC.local

               DC1                  FAIL FAIL n/a  n/a  n/a  n/a  n/a 
        
         ......................... DC.local failed test DNS

Right so I know there is an IPv6 configuration error on DC1/DC2, it's been like that for 6 months as we havn't set up the records 100%, but replication has been occurring fine and only stopped in the past 2 days.
Everything works fine and should replicate on IPv4.
Around the same time the FIRST EVENT 4015 started on DC2 we ran Windows Updates, and there is about 47 pending updates for Server 2012 . Some updates have failed around the same time 4015 was first generated, but it hasn't happened since that day. 2 days ago, it's been constant and no replication has occurred. AS mentioned above, we can reboot DC2, get replication working for approx. 10 minutes, then DNS Server seems to trip out according to Event Viewer, and no replication will work from DC2 > DC1.

We've run netdom passwd reset on both DC1/DC2 and reset both DC's. Nothing will stop event 4015 on DC2!!

It seems like a textbook DNS related issue on DC2 but so far we have had no luck repairing it.

Any ideas or suggestions would be appreciated.

This morning I had several users report an error accessing resources on a DFS namespace.  I looked at the domain controller this namespace is on, and I am seeing several errors.  The first of which, I believe to be the root cause.

Event ID: 3224

Source:  NETLOGON

Error:

I've been looking for reasons online, but I can't seem to get anywhere.

This is followed up with other errors with GPO, DFS, some kerberos, WMI, FRSm and VSS.

The kerberos message seems related:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server machine$. The target name used was ldap/machine.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

I tried to change the password on the server account with Netdom, but I received the same error as above. "The administrative limit for this request was exceeded."

Would appreciate any pointers!

Environment has a Kerberos Realm trust configured on a domain called XYZ. It is configured in both directions. It was created years ago and thanks to IT turnover no one can tell me why it's there. No one wants to delete it in case it might break something. We don't think any UNIX apps use it but MS does not provide a means to verify a realm trust like you can with an AD domain-to-domain trust. No users on the domain have altSecurityIdentities configured. The command ksetup /dumpstate says no user mappings are defined. There is no XYZ zone defined in DNS that I can find. The HKLM key LSA\Kerberos\Domains on the DC is empty. Kerberos realm trusts don't seem to use any unique ports to try to sniff for traffic. There don't seem to be any unique error or alert IDs to look for in the event log.

What else is there to check? Any ideas on how you might definitively show that this trust is not in use?

In our organization, we are using Windows Server 2012. We have been requested to review access logon violations in order to ensure that potential unauthorized access activities are timeously identified and followed up.

1. can this be done on Windows Server 2012 or do we need 3rd party software ? 

2. how is this done ?

Hi!

Is there an easy way to find out which computer a domain user is logging onto? It shows in Event viewer but it takes a lot of time. Windows 2003 Server.

Thanks.

Dears,

I have deployed my new DCs in all of my sites, then I have done with below:

1. Moved FSMO roles to new DCs
2. Configured bridgehead servers
3. Remove check box of GC from my old DCs
4. Make sure that my new DCs are GCs
5. I configure all my DCs, Servers, and Clients TCP/IP DNS settings to use my new DCs
6. My DCs does not include encrypted data

Now I need to test my environment for 10 days, while my old DCs are shutdown.

I shutdown my old DCs, I run the command: "dcdiag /test:dns" and it fail.

So how should I test my environment while my old DCs are shutdown?

I have run into a problem on one of my servers. It appears as though no one can authenticate to it using its fqdn. If the user had logged in in previous they can log in using the ip address for the connection.

After poking around on the box I have found that there is an issue with the trust relationship. The machine can still ping the pdc but when I run a nltest /sc_verify:domainname I get

Flags: 80

Trusted DC Name

Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

Trust Verification Status: 1311 0x51f ERROR_NO_LOGON_SERVERS

I have even tried a nltest /sc_reset:domainname and received I_NetlogonControl failed: Status =1722 RPC_S_SERVER_UNAVAILABLE

I have even run dcdiag on the pdc to confirm that the configuration there is fine and it completes without errors.

I am wondering if anyone has experienced this and resolved it without having to remove and rejoin the server from the domain?

Thanks