Unable to inherit permissions

May 24, 2015, 5:30 pm

≫ Next: Active Directory Catalog Replication Not Complete

≪ Previous: ADFS 3.0 cross forest support

I have an issue where I can not flow permissions from an OU to any of its objects.

I'm using an account (i.e. AcntScriptX) which needs to be able to delete a (user) object and has "delete all child objects" set and also "delete" (this object and all descendant objects). However when I try to delete an object using that account it fails. Checked the security tab on 1 of the user objects to be deleted but - when using 'effective permissions' - the "AcntScriptX" account does not have those delete permissions inherited.

The object to be deleted has "include inheritable permissions" enabled.

ANy ideas - thanks.
JD

↧

Active Directory Catalog Replication Not Complete

May 25, 2015, 12:10 am

≫ Next: create a new domain tree root in stead of a new child domain

≪ Previous: Unable to inherit permissions

Hi There,

I tried dc promo new server to be primary domain controller before replication completed from old domain controller. How to resolve this issue. Thanks.

Here is the DCDiag log from the new server. If you are not able to access through this link( https://drive.google.com/file/d/0B_kVgtolSFXGNHVtbjczdWJuaWNZdW51d3lnc2paTG5zSmJv/view?usp=sharing ):

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

* Verifying that the local machine INTSRV, is a Directory Server.
Home Server = INTSRV

* Connecting to directory service on server INTSRV.

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=integricity,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=integricity,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

* Found 1 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial required tests

Testing server: HQ\INTSRV

Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... INTSRV passed test Connectivity

Doing primary tests

Testing server: HQ\INTSRV

Starting test: Advertising

         The DC INTSRV is advertising itself as a DC and having a DS.
         The DC INTSRV is advertising as an LDAP server
         The DC INTSRV is advertising as having a writeable directory
         The DC INTSRV is advertising as a Key Distribution Center
         The DC INTSRV is advertising as a time server
         Warning: INTSRV has not finished promoting to be a GC.

Check the event log for domains that cannot be replicated.

Warning: INTSRV is not advertising as a global catalog.

Check that server finished GC promotion.

Check the event log on server that enough source replicas for the GC

are available.

......................... INTSRV failed test Advertising

Starting test: CheckSecurityError

         * Dr Auth: Beginning security errors check!
         Found KDC INTSRV for domain integricity.com in site HQ
         Checking machine account for DC INTSRV on DC INTSRV.
         * SPN found :LDAP/INTSRV.integricity.com/integricity.com
         * SPN found :LDAP/INTSRV.integricity.com
         * SPN found :LDAP/INTSRV
         * SPN found :LDAP/INTSRV.integricity.com/INTEGRICITY
         * SPN found :LDAP/5c4b560f-8cca-4edd-adc2-64584b032eab._msdcs.integricity.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5c4b560f-8cca-4edd-adc2-64584b032eab/integricity.com
         * SPN found :HOST/INTSRV.integricity.com/integricity.com
         * SPN found :HOST/INTSRV.integricity.com
         * SPN found :HOST/INTSRV
         * SPN found :HOST/INTSRV.integricity.com/INTEGRICITY
         * SPN found :GC/INTSRV.integricity.com/integricity.com
         [INTSRV] No security related replication errors were found on this DC!

To target the connection to a specific source DC use

/ReplSource:<DC>.

......................... INTSRV passed test CheckSecurityError

Starting test: CutoffServers

         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... INTSRV passed test CutoffServers

Starting test: FrsEvent

* The File Replication Service Event log test
Skip the test because the server is running DFSR.

......................... INTSRV passed test FrsEvent

Starting test: DFSREvent

The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
A warning event occurred. EventID: 0x80001396

Time Generated: 05/25/2015 03:00:59

Event String:

The DFS Replication service is stopping communication with partner TEC-SERV-001 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Additional Information:

Error: 9036 (Paused for backup or restore)

Connection ID: A8B31CBD-C5AD-46C9-B0CD-7FDF960CBC7E

Replication Group ID: 0FF19654-A1A0-495E-8324-F62AB20CD4FB

A warning event occurred. EventID: 0x80001396

Time Generated: 05/25/2015 09:30:22

Event String:

The DFS Replication service is stopping communication with partner TEC-SERV-001 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Additional Information:

Error: 1723 (The RPC server is too busy to complete this operation.)

Connection ID: A8B31CBD-C5AD-46C9-B0CD-7FDF960CBC7E

Replication Group ID: 0FF19654-A1A0-495E-8324-F62AB20CD4FB

An error event occurred. EventID: 0xC000138A

Time Generated: 05/25/2015 09:30:36

Event String:

The DFS Replication service encountered an error communicating with partner TEC-SERV-001 for replication group Domain System Volume.

Partner DNS address: TEC-SERV-001.integricity.com

Optional data if available:

Partner WINS Address: TEC-SERV-001

Partner IP Address: 192.168.48.20

The service will retry the connection periodically.

Additional Information:

Error: 1753 (There are no more endpoints available from the endpoint mapper.)

Connection ID: A8B31CBD-C5AD-46C9-B0CD-7FDF960CBC7E

Replication Group ID: 0FF19654-A1A0-495E-8324-F62AB20CD4FB

......................... INTSRV failed test DFSREvent

Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... INTSRV passed test SysVolCheck

Starting test: FrsSysVol

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... INTSRV passed test FrsSysVol

Starting test: KccEvent

* The KCC Event log test
An event occurred. EventID: 0x40000617

Time Generated: 05/25/2015 14:17:41

Event String:

The local domain controller has been selected to be a global catalog. However, the domain controller does not host a read-only replica of the following directory partition.

Directory partition:

DC=technology,DC=integricity,DC=com

A precondition to becoming a global catalog is that a domain controller must host a read-only replica of all directory partitions in the forest. This event might have occurred because a Knowledge Consistency Checker (KCC) task has not completed or because the domain controller is unable to add a replica of the directory partition due to unavailable source domain controllers.

An attempt to add the replica will be tried again at the next KCC interval.

An event occurred. EventID: 0x4000062A

Time Generated: 05/25/2015 14:17:41

Event String:

Promotion of the local domain controller to a global catalog has been delayed because the directory partition occupancy requirements have not been met. The occupancy requirement level and current domain controller level are as follows.

Occupancy requirement level:

Domain controller level:

The following registry key value defines the directory partition occupancy requirement level.

Registry key value:

HKeyLocalMachine\System\ CurrentControlSet\Services\NTDS\Parameters\Global Catalog Partition Occupancy

Higher occupancy requirement levels include the lower levels. The levels are defined as follows:

(0) Indicates no occupancy requirement.

(1) Indicates at least one read-only directory partition in the site has been added by the Knowledge Consistency Checker (KCC).

(2) Indicates at least one directory partition in the site has been fully synchronized.

(3) Indicates all read-only directory partitions in the site have been added by the KCC (at least one has been synchronized).

(4) Indicates all directory partitions in the site have been fully synchronized.

(5) Indicates all read-only directory partitions in the forest have been added by the KCC (at least one has been synchronized).

(6) Indicates all directory partitions in the forest have been fully synchronized.

An event occurred. EventID: 0x40000456

Time Generated: 05/25/2015 14:17:41

Event String:

Promotion of this domain controller to a global catalog will be delayed for the following interval.

Interval (minutes):

This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.

An error event occurred. EventID: 0xC0000466

Time Generated: 05/25/2015 14:18:30

Event String:

Active Directory Domain Services was unable to establish a connection with the global catalog.

Additional Data

Error value:

1355 The specified domain either does not exist or could not be contacted.

Internal ID:

32013c0

User Action:

Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

......................... INTSRV failed test KccEvent

Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com
         ......................... INTSRV passed test KnowsOfRoleHolders

Starting test: MachineAccount

         Checking machine account for DC INTSRV on DC INTSRV.
         * SPN found :LDAP/INTSRV.integricity.com/integricity.com
         * SPN found :LDAP/INTSRV.integricity.com
         * SPN found :LDAP/INTSRV
         * SPN found :LDAP/INTSRV.integricity.com/INTEGRICITY
         * SPN found :LDAP/5c4b560f-8cca-4edd-adc2-64584b032eab._msdcs.integricity.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5c4b560f-8cca-4edd-adc2-64584b032eab/integricity.com
         * SPN found :HOST/INTSRV.integricity.com/integricity.com
         * SPN found :HOST/INTSRV.integricity.com
         * SPN found :HOST/INTSRV
         * SPN found :HOST/INTSRV.integricity.com/INTEGRICITY
         * SPN found :GC/INTSRV.integricity.com/integricity.com
         ......................... INTSRV passed test MachineAccount

Starting test: NCSecDesc

* Security Permissions check for all NC's on DC INTSRV.
* Security Permissions Check for

           DC=ForestDnsZones,DC=integricity,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=integricity,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=integricity,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=integricity,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=integricity,DC=com
            (Domain,Version 3)
         ......................... INTSRV passed test NCSecDesc

Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\INTSRV\netlogon
         Verified share \\INTSRV\sysvol
         ......................... INTSRV passed test NetLogons

Starting test: ObjectsReplicated

         INTSRV is in domain DC=integricity,DC=com
         Checking for CN=INTSRV,OU=Domain Controllers,DC=integricity,DC=com in domain DC=integricity,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com in domain CN=Configuration,DC=integricity,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... INTSRV passed test ObjectsReplicated

Starting test: OutboundSecureChannels

* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was

not entered

......................... INTSRV passed test OutboundSecureChannels

Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=integricity,DC=com
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
            DC=DomainDnsZones,DC=integricity,DC=com
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
            CN=Schema,CN=Configuration,DC=integricity,DC=com
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
            CN=Configuration,DC=integricity,DC=com
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
            DC=integricity,DC=com
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
         ......................... INTSRV passed test Replications

Starting test: RidManager

         * Available RID Pool for the Domain is 2600 to 1073741823
         * INTSRV.integricity.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 2100 to 2599
         * rIDPreviousAllocationPool is 2100 to 2599
         * rIDNextRID: 2100
         ......................... INTSRV passed test RidManager

Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... INTSRV passed test Services

Starting test: SystemLog

* The System Event log test
An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:13:23

Event String:

DCOM was unable to communicate with the computer 203.115.225.25 using any of the configured protocols; requested by PID 13ac (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:13:44

Event String:

DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 13ac (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:14:05

Event String:

DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 13ac (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:15:47

Event String:

DCOM was unable to communicate with the computer 203.115.225.25 using any of the configured protocols; requested by PID 10cc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:16:08

Event String:

DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 10cc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:16:29

Event String:

DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 10cc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:17:18

Event String:

DCOM was unable to communicate with the computer 203.115.225.25 using any of the configured protocols; requested by PID 10dc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:17:39

Event String:

DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 10dc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:18:00

Event String:

DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 10dc (C:\Windows\system32\dcdiag.exe).

......................... INTSRV failed test SystemLog

Starting test: Topology

         * Configuration Topology Integrity Check
         * Analyzing the connection topology for DC=ForestDnsZones,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=DomainDnsZones,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=integricity,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... INTSRV passed test Topology

Starting test: VerifyEnterpriseReferences

......................... INTSRV passed test

VerifyEnterpriseReferences

Starting test: VerifyReferences

The system object reference (serverReference)

CN=INTSRV,OU=Domain Controllers,DC=integricity,DC=com and backlink on

CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com

are correct.
The system object reference (serverReferenceBL)

CN=INTSRV,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=integricity,DC=com

and backlink on

CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com

are correct.
The system object reference (msDFSR-ComputerReferenceBL)

CN=INTSRV,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=integricity,DC=com

and backlink on CN=INTSRV,OU=Domain Controllers,DC=integricity,DC=com

are correct.
......................... INTSRV passed test VerifyReferences

Starting test: VerifyReplicas

......................... INTSRV passed test VerifyReplicas

Starting test: DNS

DNS Tests are running and not hung. Please wait a few minutes...

See DNS test in enterprise tests section for results
......................... INTSRV passed test DNS

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : integricity

Starting test: CheckSDRefDom

......................... integricity passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... integricity passed test CrossRefValidation

Running enterprise tests on : integricity.com

Starting test: DNS

Test results for domain controllers:

DC: INTSRV.integricity.com

Domain: integricity.com

               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  The OS

Microsoft Windows Server 2012 R2 Standard (Service Pack level: 0.0)

is supported.

NETLOGON service is running

kdc service is running

DNSCACHE service is running

DNS service is running

DC is a DNS server

                  Error: can't read network adapter information through WMI
                  [Error details: 0x80041001 (Type: HRESULT - Facility: WMI, Description: Generic failure) - Enumerate Win32_NetworkAdapterConfiguration class failed]
                  Warning: The A record for this DC was not found
                  Warning: The AAAA record for this DC was not found
                  No host records (A or AAAA) were found for this DC

                  The SOA record for the Active Directory zone was not found
                  The Active Directory zone on this DC/DNS server was found primary
                  Root zone on this DC/DNS server was not found

               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     203.115.225.25 (<name unavailable>) [Valid]
                     8.8.4.4 (<name unavailable>) [Valid]
                     8.8.8.8 (<name unavailable>) [Valid]

               TEST: Delegations (Del)
                  Delegation information for the zone: integricity.com.
                     Delegated domain name: _msdcs.integricity.com.
                        DNS server: intsrv.integricity.com. IP:192.168.48.25 [Valid]
                     Delegated domain name:www.integricity.com.
                        Warning: Delegation of DNS server intsrv.integricity.com. is broken on IP:192.168.48.25
                        Error: DNS server: intsrv.integricity.com.

IP:192.168.48.25 [Broken delegation]

               TEST: Dynamic update (Dyn)
                  Test record dcdiag-test-record added successfully in zone integricity.com
                  Test record dcdiag-test-record deleted successfully in zone integricity.com

            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network

adapters

Summary of test results for DNS servers used by the above domain

controllers:

DNS server: 192.168.48.25 (intsrv.integricity.com.)

1 test failure on this DNS server

DNS delegation for the domain _msdcs.integricity.com. is operational on IP 192.168.48.25

DNS delegation for the domainwww.integricity.com. is broken on IP 192.168.48.25

               [Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

            DNS server: 203.115.225.25 (<name unavailable>)

All tests passed on this DNS server

DNS server: 8.8.4.4 (<name unavailable>)

All tests passed on this DNS server

DNS server: 8.8.8.8 (<name unavailable>)

All tests passed on this DNS server

Summary of DNS test results:

                                            Auth Basc Forw Del Dyn RReg Ext
            _________________________________________________________________
            Domain: integricity.com

               INTSRV                       PASS FAIL PASS FAIL PASS FAIL n/a

         ......................... integricity.com failed test DNS

Starting test: LocatorCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

A Global Catalog Server could not be located - All GC's are down.

         PDC Name: \\INTSRV.integricity.com
         Locator Flags: 0xe000f3f9
         Time Server Name: \\INTSRV.integricity.com
         Locator Flags: 0xe000f3f9
         Preferred Time Server Name: \\INTSRV.integricity.com
         Locator Flags: 0xe000f3f9
         KDC Name: \\INTSRV.integricity.com
         Locator Flags: 0xe000f3f9
         ......................... integricity.com failed test LocatorCheck

Starting test: FsmoCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

A Global Catalog Server could not be located - All GC's are down.

Starting test: Intersite

Skipping site HQ, this site is outside the scope provided by the

command line arguments provided.
......................... integricity.com passed test Intersite

↧

create a new domain tree root in stead of a new child domain

May 24, 2015, 6:40 pm

≫ Next: AD Site and Services

≪ Previous: Active Directory Catalog Replication Not Complete

Could you tell me about how to create a new domain tree root in stead of a new child domain step by step with chapter screen?

↧

AD Site and Services

May 25, 2015, 12:18 am

≫ Next: Active Directory Catalog Replication Not Complete

≪ Previous: create a new domain tree root in stead of a new child domain

Hi,

I have 2 site in a Single domain

Site A And Site B

there are DC1 and DC2 in Site A , DC3 and DC4 in Site B.

when I join a client in Site A I first see it on a DC in site B.

and sometimes client in Site A Authenticate With a DC in Site B.

I can't Understand why it happen

↧

Active Directory Catalog Replication Not Complete

May 25, 2015, 12:21 am

≫ Next: Compatibilitity issue of windows 8, and Windows server 2008 network shared folders

≪ Previous: AD Site and Services

Hi There,

I tried dc promo new server to be primary domain controller before replication completed from old domain controller. How to resolve this issue. Thanks.

Here is the DCDiag log from the new server. If you are not able to access through this link( https://drive.google.com/file/d/0B_kVgtolSFXGNHVtbjczdWJuaWNZdW51d3lnc2paTG5zSmJv/view?usp=sharing ):

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

* Verifying that the local machine INTSRV, is a Directory Server.
Home Server = INTSRV

* Connecting to directory service on server INTSRV.

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

* Found 1 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial required tests

Testing server: HQ\INTSRV

Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... INTSRV passed test Connectivity

Doing primary tests

Testing server: HQ\INTSRV

Starting test: Advertising

Check the event log for domains that cannot be replicated.

Warning: INTSRV is not advertising as a global catalog.

Check that server finished GC promotion.

Check the event log on server that enough source replicas for the GC

are available.

......................... INTSRV failed test Advertising

Starting test: CheckSecurityError

To target the connection to a specific source DC use

/ReplSource:<DC>.

......................... INTSRV passed test CheckSecurityError

Starting test: CutoffServers

Starting test: FrsEvent

* The File Replication Service Event log test
Skip the test because the server is running DFSR.

......................... INTSRV passed test FrsEvent

Starting test: DFSREvent

The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
A warning event occurred. EventID: 0x80001396

Time Generated: 05/25/2015 03:00:59

Event String:

The DFS Replication service is stopping communication with partner TEC-SERV-001 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Additional Information:

Error: 9036 (Paused for backup or restore)

Connection ID: A8B31CBD-C5AD-46C9-B0CD-7FDF960CBC7E

Replication Group ID: 0FF19654-A1A0-495E-8324-F62AB20CD4FB

A warning event occurred. EventID: 0x80001396

Time Generated: 05/25/2015 09:30:22

Event String:

The DFS Replication service is stopping communication with partner TEC-SERV-001 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Additional Information:

Error: 1723 (The RPC server is too busy to complete this operation.)

Connection ID: A8B31CBD-C5AD-46C9-B0CD-7FDF960CBC7E

Replication Group ID: 0FF19654-A1A0-495E-8324-F62AB20CD4FB

An error event occurred. EventID: 0xC000138A

Time Generated: 05/25/2015 09:30:36

Event String:

The DFS Replication service encountered an error communicating with partner TEC-SERV-001 for replication group Domain System Volume.

Partner DNS address: TEC-SERV-001.integricity.com

Optional data if available:

Partner WINS Address: TEC-SERV-001

Partner IP Address: 192.168.48.20

The service will retry the connection periodically.

Additional Information:

Error: 1753 (There are no more endpoints available from the endpoint mapper.)

Connection ID: A8B31CBD-C5AD-46C9-B0CD-7FDF960CBC7E

Replication Group ID: 0FF19654-A1A0-495E-8324-F62AB20CD4FB

......................... INTSRV failed test DFSREvent

Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... INTSRV passed test SysVolCheck

Starting test: FrsSysVol

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... INTSRV passed test FrsSysVol

Starting test: KccEvent

* The KCC Event log test
An event occurred. EventID: 0x40000617

Time Generated: 05/25/2015 14:17:41

Event String:

The local domain controller has been selected to be a global catalog. However, the domain controller does not host a read-only replica of the following directory partition.

Directory partition:

DC=technology,DC=integricity,DC=com

An attempt to add the replica will be tried again at the next KCC interval.

An event occurred. EventID: 0x4000062A

Time Generated: 05/25/2015 14:17:41

Event String:

Occupancy requirement level:

Domain controller level:

The following registry key value defines the directory partition occupancy requirement level.

Registry key value:

HKeyLocalMachine\System\ CurrentControlSet\Services\NTDS\Parameters\Global Catalog Partition Occupancy

Higher occupancy requirement levels include the lower levels. The levels are defined as follows:

(0) Indicates no occupancy requirement.

(1) Indicates at least one read-only directory partition in the site has been added by the Knowledge Consistency Checker (KCC).

(2) Indicates at least one directory partition in the site has been fully synchronized.

(3) Indicates all read-only directory partitions in the site have been added by the KCC (at least one has been synchronized).

(4) Indicates all directory partitions in the site have been fully synchronized.

(5) Indicates all read-only directory partitions in the forest have been added by the KCC (at least one has been synchronized).

(6) Indicates all directory partitions in the forest have been fully synchronized.

An event occurred. EventID: 0x40000456

Time Generated: 05/25/2015 14:17:41

Event String:

Promotion of this domain controller to a global catalog will be delayed for the following interval.

Interval (minutes):

An error event occurred. EventID: 0xC0000466

Time Generated: 05/25/2015 14:18:30

Event String:

Active Directory Domain Services was unable to establish a connection with the global catalog.

Additional Data

Error value:

1355 The specified domain either does not exist or could not be contacted.

Internal ID:

32013c0

User Action:

Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

......................... INTSRV failed test KccEvent

Starting test: KnowsOfRoleHolders

Starting test: MachineAccount

Starting test: NCSecDesc

* Security Permissions check for all NC's on DC INTSRV.
* Security Permissions Check for

           DC=ForestDnsZones,DC=integricity,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=integricity,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=integricity,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=integricity,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=integricity,DC=com
            (Domain,Version 3)
         ......................... INTSRV passed test NCSecDesc

Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\INTSRV\netlogon
         Verified share \\INTSRV\sysvol
         ......................... INTSRV passed test NetLogons

Starting test: ObjectsReplicated

Starting test: OutboundSecureChannels

* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was

not entered

......................... INTSRV passed test OutboundSecureChannels

Starting test: Replications

Starting test: RidManager

Starting test: Services

Starting test: SystemLog

* The System Event log test
An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:13:23

Event String:

DCOM was unable to communicate with the computer 203.115.225.25 using any of the configured protocols; requested by PID 13ac (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:13:44

Event String:

DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 13ac (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:14:05

Event String:

DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 13ac (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:15:47

Event String:

DCOM was unable to communicate with the computer 203.115.225.25 using any of the configured protocols; requested by PID 10cc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:16:08

Event String:

DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 10cc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:16:29

Event String:

DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 10cc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:17:18

Event String:

DCOM was unable to communicate with the computer 203.115.225.25 using any of the configured protocols; requested by PID 10dc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:17:39

Event String:

DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 10dc (C:\Windows\system32\dcdiag.exe).

An error event occurred. EventID: 0x0000272C

Time Generated: 05/25/2015 14:18:00

Event String:

DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 10dc (C:\Windows\system32\dcdiag.exe).

......................... INTSRV failed test SystemLog

Starting test: Topology

Starting test: VerifyEnterpriseReferences

......................... INTSRV passed test

VerifyEnterpriseReferences

Starting test: VerifyReferences

The system object reference (serverReference)

CN=INTSRV,OU=Domain Controllers,DC=integricity,DC=com and backlink on

CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com

are correct.
The system object reference (serverReferenceBL)

CN=INTSRV,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=integricity,DC=com

and backlink on

CN=NTDS Settings,CN=INTSRV,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=integricity,DC=com

are correct.
The system object reference (msDFSR-ComputerReferenceBL)

CN=INTSRV,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=integricity,DC=com

and backlink on CN=INTSRV,OU=Domain Controllers,DC=integricity,DC=com

are correct.
......................... INTSRV passed test VerifyReferences

Starting test: VerifyReplicas

......................... INTSRV passed test VerifyReplicas

Starting test: DNS

DNS Tests are running and not hung. Please wait a few minutes...

See DNS test in enterprise tests section for results
......................... INTSRV passed test DNS

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : integricity

Starting test: CheckSDRefDom

......................... integricity passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... integricity passed test CrossRefValidation

Running enterprise tests on : integricity.com

Starting test: DNS

Test results for domain controllers:

DC: INTSRV.integricity.com

Domain: integricity.com

               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  The OS

Microsoft Windows Server 2012 R2 Standard (Service Pack level: 0.0)

is supported.

NETLOGON service is running

kdc service is running

DNSCACHE service is running

DNS service is running

DC is a DNS server

IP:192.168.48.25 [Broken delegation]

adapters

Summary of test results for DNS servers used by the above domain

controllers:

DNS server: 192.168.48.25 (intsrv.integricity.com.)

1 test failure on this DNS server

DNS delegation for the domain _msdcs.integricity.com. is operational on IP 192.168.48.25

DNS delegation for the domainwww.integricity.com. is broken on IP 192.168.48.25

               [Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

            DNS server: 203.115.225.25 (<name unavailable>)

All tests passed on this DNS server

DNS server: 8.8.4.4 (<name unavailable>)

All tests passed on this DNS server

DNS server: 8.8.8.8 (<name unavailable>)

All tests passed on this DNS server

Summary of DNS test results:

                                            Auth Basc Forw Del Dyn RReg Ext
            _________________________________________________________________
            Domain: integricity.com

               INTSRV                       PASS FAIL PASS FAIL PASS FAIL n/a

         ......................... integricity.com failed test DNS

Starting test: LocatorCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

A Global Catalog Server could not be located - All GC's are down.

Starting test: FsmoCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

A Global Catalog Server could not be located - All GC's are down.

Starting test: Intersite

Skipping site HQ, this site is outside the scope provided by the

command line arguments provided.
......................... integricity.com passed test Intersite

↧

Compatibilitity issue of windows 8, and Windows server 2008 network shared folders

May 20, 2015, 4:18 am

≫ Next: IP address of each user login

≪ Previous: Active Directory Catalog Replication Not Complete

Hello Microsoft team

I have been experiencing difficulties on accessing network shared drives in many Windows 8 PCs, where by these shared drives are added to each PC user from Windows server 2008 managing Active Directory.

Real Scenario is this..

In AD there are shared folders for each department (Finance, IT etc), I add each Domain user to be member of a specific department so that when he/she is logged to PC the folders can be accessed. But the issue is that For those installed with windows 7, the folders are seen automatically and can be accessed , but for Windows 8 users its not working. May you kindly help me to fix that..

↧

IP address of each user login

May 14, 2015, 7:46 am

≫ Next: RODC utilization

≪ Previous: Compatibilitity issue of windows 8, and Windows server 2008 network shared folders

I had some strange trouble with the server restarting by itself. Upon further review, a user account was doing the reboot. Problem is more than one person has this login information. I have changed the password so no one has it now and the reboots have stopped.

My question is how can get the IP address of the person logging in, regardless of the user account? Keep in mind I’m talking about past logins (i.e. 2 days ago). Any ideas?

↧

RODC utilization

May 19, 2015, 11:20 pm

≫ Next: How to locate Read Only Domain Controllers in the Forest?

≪ Previous: IP address of each user login

Team,

How to check the performance monitoring for RODC on server through performance monitoring. What all are the parameters and counters need to select.

↧

How to locate Read Only Domain Controllers in the Forest?

May 19, 2015, 12:47 pm

≫ Next: AD Users and Computers: The domain xxx could not be found because: A local error has occurred.

≪ Previous: RODC utilization

Hi Microsoft community,

Is there a PowerShell one-liner or an MMC snapin I can use to easily locate which DCs in my Forest are read only DCs?

I didn't install this Active Directory, I inherited it. :)

Thank you!

↧

AD Users and Computers: The domain xxx could not be found because: A local error has occurred.

May 19, 2015, 7:28 am

≫ Next: ADAM 2003 to LDS 2012 Replication - Internal error

≪ Previous: How to locate Read Only Domain Controllers in the Forest?

Hi, I'm not a network guy (hopefully this is the right forum?), but I've created a new server, installed AD Users and Computers, and I'm trying to reach one of our domains. I'm logged in to the box with an admin account I'm logged in with on other servers able to reach the domain through AD Users and Groups.

Change domain and typing in the Domain name gives me the error in the Title. I am, however, able to ping it from the server. I took the IP and tried it in Change Domain, but got "Windows cannot connect to the new domain because: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

Where do I go from here? How would I troubleshoot?

Thanks,

Scott

↧

ADAM 2003 to LDS 2012 Replication - Internal error

May 4, 2015, 11:53 pm

≫ Next: Certificate Authority migration from active directory 2003 to active directory 2012

≪ Previous: AD Users and Computers: The domain xxx could not be found because: A local error has occurred.

I'm replicating (seemingly succesfully) between ADAM 2003 SP1 (Windows Server 2003) and LDS 2012 (Windows Server 2012 R2), but LDS 2012 seems to be a little upset on start-up, logging the following message to the event log:

Internal error: An Active Directory Lightweight Directory Services error has occurred.

Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
30007ef

Has anyone encountered this error before? What does it mean? And importantly, can it safely be ignored?

↧

Certificate Authority migration from active directory 2003 to active directory 2012

May 25, 2015, 5:35 am

≫ Next: ADSI Edit - Giving specified access to a field

≪ Previous: ADAM 2003 to LDS 2012 Replication - Internal error

hi,

one of my customers is running windows server 2003 R2 domain controllers with certificate authority on one of them. They wanted to migrate active directory from 2003 to 2012 R2. The old servers will be decommissioned after adding 2012 R2 domain controllers in the environment. My question is how to migrate certificate authority from 2003 R2 domain controller to new 2012 domain controller ?

↧

ADSI Edit - Giving specified access to a field

May 25, 2015, 5:48 am

≫ Next: Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword

≪ Previous: Certificate Authority migration from active directory 2003 to active directory 2012

Hi,

We have a system where I work which allows to use the canteen from your swipe card and then any purchases are deducted from your pay packet. As part of this you can also view your spends on our intranet. To make this work by user we have to populate a field in ADSI edit called employee number and this is where we enter the users' payroll number.

When we get new starters they don't always get their payroll number straight away and this means changing it from a temporary one and it can be a little messy.

We need to know if you can assign specific functions of ADSI edit just so we can give a user in Payroll the access to populate the employee number which would save us time and also give them full control.

Thanks for your help,

Ryan

↧

Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword

May 18, 2015, 7:40 am

≫ Next: Can't upgrade domain functional level

≪ Previous: ADSI Edit - Giving specified access to a field

So the documentation (https://technet.microsoft.com/en-us/library/jj128431.aspx) for creating gMSAs says that the parameter "-PrincipalsAllowedToRetrieveManagedPassword" should restrict the ability of using the gMSA to the machines that are part of the security groups given in the parameter. E.g.

New-ADServiceAccount -name dev-service -DNSHostName dev-service -PrincipalsAllowedToRetrieveManagedPassword gMSA-dev-service-allowed-hosts

should, as I understand it, allow only the machines that are part of the security group "gMSA-dev-service-allowed-hosts" to access the password of the the account dev-service thereby limiting the machines that can use the account.

My problem is that I can not get it to work that way. Even on a machine that is not a member of "gMSA-dev-service-allowed-hosts", the account can be used without problem.

Did I misunderstand the meaning of -PrincipalsAllowedToRetrieveManagedPassword ?

Thanks

Best,

Deniz

↧

Can't upgrade domain functional level

May 25, 2015, 6:56 am

≫ Next: Last DC in child domain died

≪ Previous: Group Managed Service Accounts: -PrincipalsAllowedToRetrieveManagedPassword

Hi folks. I have a domain with 3 DC's in it, all Server 2012. We previously had some 2008R2 DC's, but they have been decommissioned. I'd like to upgrade the domain functional level, however having some issues with it. Here is the status.

Current forest functional level: 2008 R2

Current domain functional level: (shows as blank)

When I choose 'raise domain functional level', I get a message that says 'you cannot raise the domain functional level because this domain includes active directory domain controllers that are not running the appropriate version of windows'. If i save the CSV to tell me which ones, it shows me two of my 2012 DC's, as follows:

mydomain.com	DC1.mydomain.com	Windows Server 2012 Datacenter 6.2 (9200)
mydomain.com	DC2.mydomain.com	Windows Server 2012 Datacenter 6.2 (9200)

The 3rd DC, not shown, is Server 2012 R2 Datacenter. Do I just need to upgrade these two DC's above and then I'll be able to upgrade domain functional level? Or is there likely some other issue here? Thanks.

↧

Last DC in child domain died

May 25, 2015, 12:02 pm

≫ Next: RESPONSE REQUEST: Windows Server Gurus Please Connect with Internet of Thinkers (aka TNWiki)

≪ Previous: Can't upgrade domain functional level

Hi,

I have an AD forest with numerous child domains. Unfortunately the only DC on one of the child domains just died (hardware, not coming back)

Is there any way of adding a new DC to this child domain (when I try it fails because its looking for the dead DC), would one of the root DCs hold enough child domain info?

Or is the only way back to create a new DC and a new child domain and migrate all the member servers here, much pain!!

Thanks you.

↧

RESPONSE REQUEST: Windows Server Gurus Please Connect with Internet of Thinkers (aka TNWiki)

May 5, 2015, 5:18 pm

≫ Next: Cannot search for user and groups in a trusted forest. Server asks for password of trusted domain

≪ Previous: Last DC in child domain died

May the Thoughts be with you!

Well, a small nod there to Star Wars day, and we turn our thoughts to more the serious matter of ingesting the more valuable brain telemetry from and to our very own Internet of Thinkers!

Connect to the real network, the world wide workers!

Cut through the chatter and produce some pertinent protocols!

All over the world, highly intellegent autominous entities are uploading neural nuggets of gold, words of wisdom and inspirational instructionals!

So step forward... beacons of brain power, and download your technical torrent of tips to the Head Hub - TechNet Wiki!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

↧

Cannot search for user and groups in a trusted forest. Server asks for password of trusted domain

May 25, 2015, 11:15 pm

≫ Next: User Account Control throws null value exception

≪ Previous: RESPONSE REQUEST: Windows Server Gurus Please Connect with Internet of Thinkers (aka TNWiki)

I am currently familiarizing myself with trusts.On each of two Server 2012 R2 I installed a domain controller in a new forest.

dc1.forest01.local, 192.168.10.10/16
dc2.forest02.local, 192.168.20.10/16

I set up a trust. Forest01 is the trusting domain and forest02 is the trusted domain.

Forest02 has a global group object GlobalGroup02.

I wanted to assign GlobalGroup02 read permissions on a share on dc1.forest01.local.
When I try to do that, I get asked for credentials for the trusted domain forest02. When I enter the password, the group is found and added. But as far as I should not getting asked for a password? I did some troubleshooting (see below picture) but everything looks fine to me. Why do I get the credentials prompt and what must I do to be able to search for users and groups in the trusted domain?

enter image description here

I tested the trusts on both domain controllers using the Active Directory Trusts Snap-In. On both DCs they are active.

I executest nltest /trusted_domains and don't see any problems:

C:\>nltest /trusted_domains
0: FOREST02 forest02.local (NT 5) (Direct Outbound) ( Attr: 0x18 )
1: FOREST01 forest01.local (NT 5) (Forest Tree Root) (Primary Domain) (Native)

↧

User Account Control throws null value exception

May 19, 2015, 12:40 pm

≫ Next: Joining computer with pre-staged account fails (insufficient access rights)

≪ Previous: Cannot search for user and groups in a trusted forest. Server asks for password of trusted domain

Hi Team,

Greetings!

I have a very weird problem but not sure if it's in C# code issue or in Active Directory replication issue. We have a C# SSIS code/script to fetch AD user Properties and update SQL Database. Recent times it's throwing null value exceptions for UserAccountControl.

I changed the C# code to query specific Domain Controller and value returned as expected - This is fine as a workaround

So I queried all DC using PowerShell to find replication issue and it returned value (512).

I checked msDS-User-Account-Control-Computed it has Integer 0.

Indeed it has some issues in AD but as per the logic it's not null some value needs to be returned.

Note: The issue relies in trusted domain account and all DC are 2003 server = Forest mode is 2003 as well. The Code runs from 2008 R2 Server

On which condition UAC returns null value?

Regards Chen V [MCTS SharePoint 2010]

↧

Joining computer with pre-staged account fails (insufficient access rights)

May 26, 2015, 2:04 am

≫ Next: Global Catalog error

≪ Previous: User Account Control throws null value exception

Hi,

due corporate policy, most of our support staff should not have write access to Active Directory. They can use AD Manager Plus to create computer accounts, and then they should be able to join these.

This fails in most cases with "Access Denied", and I was unable to figure out the reason. According to various sources, to be able to join computers, users must have these permissions on computer objects:

Reset Password
Read and write Account Restrictions
Validated write to DNS host name
Validated write to service principal name

Some articles also mention these additional permissions:

Read account restrictions
Write account restrictions

We granted all of these (on domain level applied to "Descendant Computer objects"); I verified that the users in question have these permissions on the computer objects in question. Still, domain join fails with "Access Denied".

This is the relevant part of netsetup.log:

 NetpGetComputerObjectDn: Cracking DNS domain name uponor.local/ into Netbios on \\DCNAME.domainname.dns
 NetpGetComputerObjectDn: Crack results: 	name = DOMAINNAME\
 NetpGetComputerObjectDn: Cracking account name DOMAINNAME\COMPUTERNAME$ on \\DCNAME.domainname.dns
 NetpGetComputerObjectDn: Crack results: 	(Account already exists) DN = CN=COMPUTERNAME,OU=Desktops...
 NetpModifyComputerObjectInDs: Initial attribute values:
 		objectClass  =  Computer
 		SamAccountName  =  COMPUTERNAME$
 		userAccountControl  =  0x1000
 		DnsHostName  =  COMPUTERNAME.domainname.dns
 		ServicePrincipalName  =  HOST/COMPUTERNAME.domainname.dns  RestrictedKrbHost/COMPUTERNAME.domainname.dns  HOST/COMPUTERNAME  RestrictedKrbHost/COMPUTERNAME
 		unicodePwd  =  <SomePassword>
 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
 		objectClass  =  top  person  organizationalPerson  user  computer
 		SamAccountName  =  COMPUTERNAME$
 		userAccountControl  =  0x1020
 		DnsHostName  =
 		ServicePrincipalName  =
 		unicodePwd  =  Account exists, resetting password: <SomePassword>
 NetpModifyComputerObjectInDs: Attribute values to set:
 		DnsHostName  =  COMPUTERNAME.domainname.dns
 		ServicePrincipalName  =  HOST/COMPUTERNAME.domainname.dns  RestrictedKrbHost/COMPUTERNAME.domainname.dns  HOST/COMPUTERNAME  RestrictedKrbHost/COMPUTERNAME
 		unicodePwd  =  <SomePassword>
 NetpMapGetLdapExtendedError: Parsed [0x2098] from server extended error string: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 NetpModifyComputerObjectInDs: ldap_modify_s failed: 0x32 0x5
 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5
 NetpProvisionComputerAccount: LDAP creation failed: 0x5

I also traced LDAP queries on the domain controller, and the last entry (that seems to be the failing one) is this:

DsDBIndexChosen,       Info,            0,          4,          0,          0,          0,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131083286,      89250,    1161105, "DS", 4, 2, 2399404096, 41986816, "idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;", "NTDS",  0x1A000000
 DsDirSearch,        End,            0,          4,          0,          0,          2,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131083607,      89250,    1161105, "DS", 4, 6, 1157955648, 41986816, "0", " ( |  (servicePrincipalName=RestrictedKrbHost/COMPUTERNAME)  (servicePrincipalName=HOST/COMPUTERNAME)  (servicePrincipalName=RestrictedKrbHost/COMPUTERNAME.
.local)  (servicePrincipalName=HOST/COMPUTERNAME.domain.dns) ) ", "idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;idx_servicePrincipalName:0:N;", "0", "0", "NTDS", "", "",  0xD8C07BBFFB7F0000
    DsDirMod,      Start,            0,          4,          0,          0,          1,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131083775,      89250,    1161105, "DS", 4, 2, 1241841728, 41986816, "10.208.5.203:60584", "CN=COMPUTERNAME,OU=Desktops...", "",  0x0300
    DsDirMod,      Start,            0,          4,          0,          0,          1,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131083793,      89250,    1161105, "DS", 4, 2, 1241841728, 41986816, "10.208.5.203:60584", "CN=COMPUTERNAME,OU=Desktops...", "",  0x2011
    DsDirMod,        End,            0,          4,          0,          0,          2,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131083812,      89250,    1161105, "DS", 4, 2, 1258618944, 41986816, "0", "NTDS",  0x7CD07800
 LdapRequest,        End,            0,          4,          0,          0,          2,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131085222,      89250,    1161105, "DS", 4, 6, 4110745664, 41986816, "3", "50", "NonDSE", "Insufficient Rights", "8", "NTDS",  0xF2F27800000064EBF2F27800
 LdapRequest,      Start,            0,          4,          0,          0,          1,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131089523,      89250,    1161105, "DS", 4, 3, 4093968448,        0, "10.208.5.203:60584", "Sign/Seal", "TCP", "",  0x64EBF2F2
 LdapRequest,        End,            0,          4,          0,          0,          2,          0, 0x0000000000000000, 0x00000230, 0x00001238,                    3,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   130770995131089714,      89250,    1161105, "DS", 4, 6, 4110745664, 41986816, "4", "0", "NonDSE", "Success", "3", "NTDS",  0x90A14FC0FB7F0000E0EBF2F2

It seems like an issue with the servicePrincipalName to me, but I'm running out of ideas what to check.

I also added permissions "Create computer objects" and "Delete computer objects" for the OU where the computer objects resides, but that also did not help.

The users in question do NOT have the user right "Add computers to the domain" in AD. Should they? (From what I read, it should work without if object permissions are correct ...)

Does anyone have an idea what could be the issue?

↧