Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

BitLocker Schema Update Windows 2003 R2 SP2

December 17, 2012, 12:30 am
$
0
0

Hi All,

We are having a problem with implementing Bitlocker to store the recovery information in AD.

We are following this MS paper (http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx)

We did the following steps;

  • We extended our Schema for the support of BitLocker.
  • We verified that the Bitlocker object exsist in the schema after the update.

CN=ms-FVE-RecoveryGuid

CN=ms-FVE-RecoveryInformation

CN=ms-FVE-RecoveryPassword

CN=ms-FVE-VolumeGuid

CN=ms-TPM-OwnerInformation

  • We ran the ACE script (Add-TPMSelfWriteACE.vbs) to add give the computer object (Self) rights to write info to ms-TPM-OwnerInformation object.
  • We verified that the ACE where set correctly. 
  • Created a GPO to store the recovery information into AD.
  • Verified if the GPO was pushed to the clients. 

Still we are not able to get Bitlocker to write the recovery info into AD.

One strange thing we see is that after the Schema update all computer have the "ms-TPM-OwnerInformation" Attribute. But we don't see the other attributes on a computer object like;

CN=ms-FVE-RecoveryGuid

CN=ms-FVE-RecoveryInformation

CN=ms-FVE-RecoveryPassword

CN=ms-FVE-VolumeGuid

But when we look into the schema itself we see the objects are there. 

Does any one have a idea?


Search

network path was not found to join the domain

January 21, 2011, 10:34 am
$
0
0

hi

i have windows server 2003 enterprise edition and pc's with windows xp pro. when i join the domain then error occurs that

"The following error occurred attempting to join the domain "domain name":

The network path was not found."

i can ping easily with domain and nslookup also resolve  the dns but i can not join the domain with this error.

please provide me solution so that i can implement the project in  the enterprise.

 

thanks in advance 

piush@786

How to create new forest in my organization - Please advise

December 19, 2012, 8:38 am
$
0
0

Hi,

We have a company name change occurring and I need to create a new forest with 2 new domains. Then migrate objects from the old domain to the new.

I have a few questions about the process:

I tried my hand at creating a new DC in a new forest on server core 2008R2 (on the same subnet as the current domain). All went well during the install but once completed I couldn't see the new forest in AD users and computers console. So how to proceed? Not sure. I suspect it's not as easy as I had suspected. So now I've removed the server core DC and want to start fresh.

Can someone give me some steps as to how to accomplish my goal? At this point I'd just like to get the new forest up and manageable and then tackle the migration.

Do I need to create a new VLAN for the new forest? If so should I make the new VLAN routeable to the rest of the network?

Do I need to create a new DHCP server for the new forest?

Any assistance is greatly appreciated!

M

Anyone know how to rename a reacurring task to include last time modified?

December 19, 2012, 3:42 pm
$
0
0

So I have 40 machines that all run unattended scheduled tasks.. primarily file copy from internal drive to desktop for data recovery in an emergency.  These are reacurring tasks 6 times a day every day.

Some times the tasks may not run for whatever reason... PC lost power, network down, etc...

In times like these, we have to know which task was last performed, as to ge tthe latest recovered data.

Yes, I know I can right click and go to properties and see that, but we need to dumb this down for nurses, not IT staff, and have the latest date and time display on the task..

Any ideas?

Daniel Strickland-Clabaugh

lsass.exe and KDC High utilization on Domain controllers

December 19, 2012, 12:09 pm
$
0
0

Hi..

I am getting high CPU utilization on my Domain controllers. While I am checking, lsass.exe is taking but when i am checking in the "Resource monitor", its not showing high CPU usage.

See the below details of DCs which are on Virtual machines.

PDC:

PDC.child.contoso.com

RAM: 15.9995651245117GB

PROCESSORS DETAILS:
CPU0 Intel(R) Xeon(R) CPU X7550 @ 2.00GHz
CPU1 Intel(R) Xeon(R) CPU X7550 @ 2.00GHz

Virtual Machine.

============

DC110.child.contoso.com

RAM : 3.99956512451172GB

PROCESSORS DETAILS:
CPU0 Intel(R) Xeon(R) CPU X7550 @ 2.00GHz
CPU1 Intel(R) Xeon(R) CPU X7550 @ 2.00GHz

=========================


Migration of DHCP server from one AD Forest to another

December 19, 2012, 8:39 am
$
0
0

We are in the process of migrating users and their PC's from one AD Forest [Forest A] to a new Forest [Forest B], all servers and resources will remain in the original Forest [Forest A]. Currently the DHCP Server [Windows 2008R2] is in Forest A when finished the user migration I want to migrate the DHCP server from Forest A to Forest B. What is the best way to do this?

Should I create a new Server in Forest B then migrate the settings with the DHCP migration tool to the new server.

or

Should I unauthorize the DHCP server in Forest A then migrate the server to Forest B and then authorize it again?

Upgrade from active directory 2003 sp2 to active directory 2008 r2

December 19, 2012, 2:33 am
$
0
0

Hi everyone

I have windows server 2003 enterprise edition SP2 32-bit running active directory. I just want to upgrade it to active directory 2008 r2. what are the simple methods to do that. And also tell me please, if i upgrade from active directory 2003 to 2008 r2. Then will i need to join domain on all clients or not?

Win 2008 R2 domain controller in 2003 forest and domain functional level

December 19, 2012, 8:29 am
$
0
0

hi all,

I am thinking on adding a Windows 2008 R2 Domain Controller to my domain. Actually it has a win 2003 SP2 Domain controller and a Windows 2008 SP2 domain controller. The functional level for this domain is 2003 as well as the forest functional level.

Can I do this without having 2003 domain controller being depromoted?

Is it safe though I still have several clients using Windows XP?

Thank you very much for your answers.

Kind regards.

Search

Event -29

December 19, 2012, 7:23 am
$
0
0

Hi Team,

Having warnings in our DC, as below. (We have win2k8 R2 servers and using AD CS for certificate services)

Event  -29
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

Kindly help us to fix the issue

Thanks SUBBU.T

Issue extending 802.11 schema objects

December 19, 2012, 5:36 pm
$
0
0

Hola!

I'm trying to extend the schema for 802.11 GPO setting in an up-to-date Server 2003 environment.  I have explicitly followed this article:
http://technet.microsoft.com/en-us/library/bb727029.aspx

and am getting this output when I run the command.

Begin:

C:\>ldifde -i -v -k -f 802.11Schema.ldf -c DC=X DC=ODC,DC=DOM
Connecting to "eugdc.odc.dom"
Logging in as current user using SSPI
Importing directory from file "802.11Schema.ldf"
Loading entries
1: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=ODC,DC=DOM

Add error on line 14: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

-End


I haven't the foggiest clue of what I'm doing wrong, any idea's?

Healthchecks of AD - issues

December 13, 2012, 2:01 am
$
0
0
Do any of you do independant healthchecks/technical audits of active directory setups for clients/partners? I just wondered if you come across any common issues in design weaknesses/maintenance weaknesses/monitoring weaknesses - and subsequent risks that exposes your clients/partners businesses too....

delete a no more existing domain from a survivng forest

December 19, 2012, 7:24 am
$
0
0

Hi all,

my company has an AD forest with a lot of domains, each corresponding to our subcompany. One of this subcompany is no more member of our organization and the result is that we can no more access that AD domain and thoose domain controllers. So our forest now has a ghost sub-domain that can't be accessed. Other domain controller tries to replicate with thoose and a lot of failure is recordered.

Is there a way to delete a no more existing domain? I'm searching for a procedure like the removal of a failed domain controller (metadata cleanup)

Event Source is LsaSrc and Event ID is x - 40960

December 19, 2012, 7:21 am
$
0
0

Hi Team,

I'm having below evt in my DC - win 2k8 R2.

The Security System detected an authentication error for the server ldap/*******.. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
 (0xc0000234)".

Event Source is  LsaSrc and Event ID is x - 40960

Kindly let me know the steps to fix the issue.

Thanks SUBBU.T

ADMT 3.2 "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied."

December 19, 2012, 7:37 pm
$
0
0

Hi,

I am receiving the following error while trying to migrate user with SIDHistory on my ADMT 3.2 Server.

"Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied."

NOTE: I have already followed the recommendations as per the following article, but still it doesn't appear to be working and I am receiving the above error.

http://technet.microsoft.com/en-us/library/cc974410(v=ws.10).aspx

STEPS ALREADY FOLLOWED:

HA

Installing a DC in Windows Server 2012

December 18, 2012, 1:15 am
$
0
0

Hello!

Can't type in the DSRM password while installing the first Win2012 DC:


???

Thank you in advance,

Michael

Search

External Trust and Folder Redirection

April 8, 2011, 6:54 pm
$
0
0

Hello,

We have a newly minted Win2k8 R2 terminal server farm and 3 domains have been added to the via one-way external trusts.  For users coming in on from the one-way trust, roaming profiles are setup fine as we have enabled cross forest roaming profiles.  We cannot, however, seem to get folder redirection working the users coming in from the one-way trust.  There seems to be no errors as far as we can tell, so it leads me to believe the policy is not being applied.  Is this even possible?  The users coming in from two-way trusts have folder redirection working fine.

Any help would be appreciated.

New AD Environment

December 14, 2012, 11:28 pm
$
0
0

Hi,

We are going to deploy our AD environment. we need your some suggestions over this, here is the scenario,

we have total three offices one in the New York one in Washington and one in Bombay India.

Following are the details:

India Office: Primary DC

New York : RODC 

Washington : RODC 

My question is , will it be feasible to make this happen that if India DC will down. all the controls will forwarded to the New york if me make it as secondary DC with respect to geographical location. or its better to keep it as RODC.

Because we are planning to make NY as our secondary DC.

Please advice..

Thanks,

  

Akshay Vithalkar
(MCTS) | Windows Server 2008 R2 Server Virtualization
(MCTS) | Windows Server 2008 R2 Network Infrastructure,Configuration
(MCTS) | Windows Server 2008 R2 Active Directory, Configuration
(MCITP)| Windows Server 2008 Server Administrator
(MCSA) | WindowsServer2008;

Cannot login after dcpromo

December 19, 2012, 9:19 pm
$
0
0

OS: W2K8R2SP1 | Only DC

Just did dcpromo and installed AD and DNS without enabling ADDS and DNS in Roles; and now after auto reboot it does not take both my and administrator password. So can't login to the domain/server.

This is a test to replicate an issue that had happened in production env when AD and DNS where installed using dcpromo without first enabling the corresponding roles. To see if a solution exists to come out of this situation and save the AD.

What are the possible reasons for not allowing to login? FYI, earlier password's complexity was complex enough, so Default Domain Policy should not interfere. DSRM working fine.

How can this situation be salvaged so that I don't have to re-image and the AD and DNS works fine. Can LKGC work, to take the server back to days when it was not yet a DC?

~TIA

- thestriver


Windows Server Active Directory error

December 19, 2012, 11:13 pm
$
0
0

Hi,

Am seriously got trapped with an issue in my company.

we are implementing a new site so i want to add the new site active directory as child domain with my main site AD but i cant able to join.

so when i checked with my main active directory primary domain controller which is active directory integrated

DNS is completely down in primary active directory

when i checked with operation master rid is giving error and i cant able to transfer FSMO roles

in operation master RID is giving error

Then i planned to seize fsmo role and make the secondary as the main domain controller even that is giving error as below

"DsBindW error 0x6d9 (There are no more endpoints available from the
 endpoint mapper.) "

kindly help me with a solution.

Event id 1168 Active Directory

December 20, 2012, 12:01 am
$
0
0

In our domain controllers we see below events:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          19.12.2012 7:13:45
Event ID:      1168
Task Category: Internal Processing
Level:         Error
Keywords:      Classic
User:          "our domain"\XXXX$
Computer:      YYYY
Description:
Internal error: An Active Directory Domain Services error has occurred.
 
Additional Data
Error value (decimal):
1332
Error value (hex):
534
Internal ID:
1240627
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
    <EventID Qualifiers="49152">1168</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>9</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2012-12-19T05:13:45.180564900Z" />
    <EventRecordID>1621</EventRecordID>
    <Correlation />
    <Execution ProcessID="436" ThreadID="4832" />
    <Channel>Directory Service</Channel>
    <Computer>YYYY</Computer>
    <Security UserID="S-1-5-21-1074365621-3550774200-4067301949-50952" />
  </System>
  <EventData>
    <Data>1332</Data>
    <Data>534</Data>
    <Data>1240627</Data>
  </EventData>
</Event>


XXXX is RODC and YYYY is DC server.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>