Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Global Catalog error

May 22, 2015, 7:10 pm
$
0
0

hi ! excuse me sir, could you help me to solve problem that happen when i create a new domain tree root in stead of a new child domain, i meet this problem:

Additional Data 
Error value:
1355 The specified domain either does not exist or could not be contacted. 
Internal ID:
3200e25 

User Action: 
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

1. what should i do to solve the problem?

2. Must we install Global Catalog to all domain controller ?

Search

AD Replication Problem

May 25, 2015, 10:57 pm
$
0
0

We are having Windows 2008 R2 forest and domain Functional level. we are having HO+5 site (Regional Offices) All ROs are having ADC/DNS placed along with Juniper Firewall. We are facing AD replication problem with one of the site. I am able to ping all the ADCs through the ROs using IP, Host Name, FQDN and CNAME. nslookup is working fine. but when i tried to forcefully replicate, its not happening. nor automatically happening via KCC generated topology. I am able to telnet all DCs and vice versa expect port no TCP 5722, UDP 123 & UDP 125.

The site where we are facing this problem getting FRS event IDs : 13508, 13562.

Directory Services continuous event 1925 (KCC), 2024 (Replication), 1865 (KCC), 1311 (KCC) & 1566 (KCC).

While i tried to repadmin /removelingringobject "FQDN of Good DC" "GUID of BAD DC" "NC" /Advisory mode but command says "8524 the dsa operation is unable to proceed because of a dns lookup failure" and its stopped.

Please Help....

Lync Dial In Conferencing Addition

May 25, 2015, 10:55 pm
$
0
0

Hi,

We already have Dial In Conferencing global policy, now we want to add/enable Dial in Conferencing functionality.

Please let us know step-by-step to enable Dial In Conferencing in Lync 2013.

Regards,

Irfan Pathan


LDAP Over SSL through enterprise firewall

May 22, 2015, 9:25 am
$
0
0

I am tasked with enabling an inbound LDAP over SSL connection over port 626 through our firewall from a service provider to one of our Active Directory domain controllers running Server 2008 R2 SP1 Standard in a single domain forest at Server 2008 R2 level.

I don't want to purchase a 3rd party enterprise certificate, just a certificate local to that server which will enable the inbound LDAP over SSL connection from the service provider's cloud server, but which does not cause any problems with user/computer authentication or srv record disruption within our own network as we want the default LDAP connectivity on port 3389 within our internal AD domain to continue to work transparently.

We simply want to facilitate the inbound LDAP over SSL connection without having any impact whatsoever with how that DC operates on our internal network.

Can you provide me with specific step-by-step guidance to accomplish these objectives?

Scott McIntosh

Active directory designing

May 26, 2015, 6:57 am
$
0
0

Hi All

I need to learn how to design active directory for new environment from scratch (for 1 lacs users).

Also need to know that how can I migrate existing active directory on new environment in terms of designing.

I have some questions in my mind and not clear on those: Please provide your expert comments;

How much space taken by 1 user in AD database. By this way, we can calculate if we have 50 thousands user then how much AD database utilizing..

Active Director disaster recovery in terms of different data-centers DCs.

How much minimum bandwidth required for AD replications and which link?

If we have link below 500 kbps, then how can design AD on which domain controllers

How much bandwidth is normal bandwidth for AD

What links we can use for one datacenter to another location datacenter (Asia and europe) for AD replication and how much network bandwidth would be required.

If I have 1 lacs users, how much bandwidth I need to use

On how many users, how many DCs I can place in that site like if I have 10000 users in one site authenticating, how many DCs I need to setup including Global catalogs

how much hardware and ram and cpu required for DCs.

if DCs is role holder then what can be DC hardware (RAM, CPU, space in hardisks)

#############

Even though I know there is IPD guides and capacity planning of AD (http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx)

But I wanted to know from experienced guys who usually do designing of AD..

Duplicate SPNs and ADFS

May 24, 2015, 12:07 am
$
0
0

Hey everybody,

I've been puzzled over this for almost a month; when running the ADFS configuration wizard I was presented with a duplicate SPN issue and informed I'd have to manually set it later. When attempting to manually set it from the command line, I'm presented with an error that there's a duplicate, however I can't really understand what's presented.

Included below is what CMD presents to me, I'd be really grateful of any help anyone can give. The issue is causing me grief with Dynamics CRM as it's authenticated via Kerberos using ADFS, I'm new to Dynamics, so forgive the noobishness. (- :

Thanks!

Hamual

C:\Users\Administrator>setspn -a host/adfs.mydomain.com ADFS
Checking domain DC=mydomain,DC=com
CN=ADFS,OU=Domain Controllers,DC=mydomain,DC=com
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ADFS.mydomain.com
        ldap/ADFS.mydomain.com/ForestDnsZones.mydomain.com
        ldap/ADFS.mydomain.com/DomainDnsZones.mydomain.com
        TERMSRV/ADFS
        TERMSRV/ADFS.mydomain.com
        DNS/ADFS.mydomain.com
        GC/ADFS.mydomain.com/mydomain.com
        RestrictedKrbHost/ADFS.mydomain.com
        RestrictedKrbHost/ADFS
        RPC/e4e389d6-05d1-47df-a009-eeb891456c3d._msdcs.mydomain.com
        HOST/ADFS/mydomain
        HOST/ADFS.mydomain.com/mydomain
        HOST/ADFS
        HOST/ADFS.mydomain.com
        HOST/ADFS.mydomain.com/mydomain.com
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/e4e389d6-05d1-47df-a009-eeb891456c3
d/mydomain.com
        ldap/ADFS/mydomain
        ldap/e4e389d6-05d1-47df-a009-eeb891456c3d._msdcs.mydomain.com
        ldap/ADFS.mydomain.com/mydomain
        ldap/ADFS
        ldap/ADFS.mydomain.com
        ldap/ADFS.mydomain.com/mydomain.com

Duplicate SPN found, aborting operation!

A relevant error from Event Manager that I get is this:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was HTTP/ADFS.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

ADCS - PKI - Permissions for Service Account for SaaS Solution

May 26, 2015, 4:52 pm
$
0
0

Hi Everyone,

I'm in the process of configuring a Mobile Device Management PoC for our business.

The tool in question is a cloud based service, which needs to be able to request and issue certificates.

My question is what level of rights do I need to give the service account in question in order to make sure the SaaS service is capable of completing the request and issue certificate tasks?

Further info:

1 forest with 3 child domains. Users and computers reside within one of the 3 child domains. PKI infra resides within the forest root domain. Root CA is offline, with 3 x subordinate root CA's (one within each region for the business)

Thanks in advance.

Simon 

kcc error - question

May 26, 2015, 12:57 pm
$
0
0

I have 3 different sites.

Site1:  2 Win 2008r2 DC's and 1 Win2003 DC that is soon to be de-comissioned
Site2:  1 Win 2008r2 DC
Site3:  1 Win 2008r2 DC

My issue is with the DC in site3.  I keep getting the following error (EventID 1311) followed by EventID 1865 and 1925.  Everything seems to look good and work good but I have some type of problem that is causing this error.  I get this error every 15 minutes.  Someone help me determine what my problem is.  thanks

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
 
Directory partition:
CN=Configuration,DC=corp,DC=company,DC=com
 
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
 
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.

Search

Migrate 2 Server 2008 Domain Controller including DNS/DHCP to 2012 R2?

May 26, 2015, 4:20 pm
$
0
0

We need new domain controllers using the same names and IP addresses as the old servers.


The idea I have is to move FSMO roles from first server to the second, then demote. rename and re-IP the first server.  Remove DNS role from the demoted server and leave it running as a DHCP server.  Then create a 2012 R2 server with the name and IP of the old DC.  Then promote this to DC and DNS server using the old name and IP.

Repeat for second DC.

Once this is complete, we want to also migrate the DHCP server to 2012 R2 and take advantage of the new option where the DHCP servers coordinate IP leases with each other.

Are there additional steps needed or is there a better way to plan this?

Moving a DC from One Hyper-v host to another Hyper-V host

May 26, 2015, 11:57 pm
$
0
0

Team,

Due to some reason I want to move one DC (NON FSMOs) from One Hyper-v host to another Hyper-V host.

DC OS: Win 2008 R2 SP1

Hyper-V OS : WIn 2008 R2 SP1

Please advice ; shall I do that or not? If I can what is the best practice for moving a DC from One Hyper-v host to another Hyper-V host?

Thanks in advance & so far.

AliahMurfy

How to grant permissions to a ressource to a group in a trusted forest (unidirectional)?

May 27, 2015, 12:30 am
$
0
0

Forest1 and forest2 are in a unidirectional trust. Forest1 is the trusting domain and forest2 the trusted domain.

I am the administrator of forest1. Forest1 has a ressource that need to be accessible from forest2.

Forest2 is an independant company. Forest2 has a group of users that need access to the ressource in forest1.

I wanted to grant said group permissions to said ressource. However, when I try to search the active-directory of forest2, I am asked for the password of administrator@forest2.

How am I able to add the group from forest2 to the ressource in forest1, if I do not have access to forest2?

upgrade empty root domain controllers from Server 2003

May 26, 2015, 7:28 am
$
0
0

I have 2 empty root Domain controllers still running Server 2003.  One is physical, running Server 2003 R2, 32bit.  I didn't think that was possible because I though all R2 versions had to be 64bit.  I guess that started with Server 2008 R2.  The other DC is a virtual server running Server 2003 SP2(also 32 bit).  The physical server holds the Domain naming operation master role.  The Virtual server holds the Schema Master role.  

Ideally I would like to get them both to 64 bit OS and preferably both to Server 2012 R2.  I figure I will put up a new 2012 R2 virtual Server and promote it to DC.  I'm a bit unsure of the role migration process.  More specifically, Is there a proper order to follow? Schema master first...etc

Is it simpler to upgrade them in-place and keep them at 32 bit since my child domain is already at 2012 domain functional level?

Replication Problems - Event ID 2092

August 3, 2010, 10:06 am
$
0
0

I seem to have a replication problem or some corruption in AD. When the first DC boots, it reports a 2092 Event ID and points to the schema FSMO role

"This server is the owner of the following FSMO role, but does not consider it valid......."<cut>

"Operations which require contacting a FSMO operation master will fail until this condition is corrected.

 

FSMO Role: CN=Schema,CN=Configuration,DC=daveathome,DC=org "

Replication seems to be working, repadmin /showrepl shows :-

U:\>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\PROLIANT-DL360
DC Options: IS_GC
Site Options: (none)
DC object GUID: 87088f92-17ff-40bb-b740-c6e9b07cca56
DC invocationID: 69a74c45-b09a-42d7-8003-0600753f16f9

==== INBOUND NEIGHBORS ======================================

DC=daveathome,DC=org
    Default-First-Site-Name\POWERAPP120 via RPC
        DC object GUID: c45c936d-376f-4718-8fa9-afad0e2cbfb4
        Last attempt @ 2010-08-03 17:49:25 was successful.

CN=Configuration,DC=daveathome,DC=org
    Default-First-Site-Name\POWERAPP120 via RPC
        DC object GUID: c45c936d-376f-4718-8fa9-afad0e2cbfb4
        Last attempt @ 2010-08-03 17:54:56 was successful.

CN=Schema,CN=Configuration,DC=daveathome,DC=org
    Default-First-Site-Name\POWERAPP120 via RPC
        DC object GUID: c45c936d-376f-4718-8fa9-afad0e2cbfb4
        Last attempt @ 2010-08-03 17:49:25 was successful.

(Similar results are seen from the other DC) so replication would appear to be OK. As the error says, the server knows that it has the schema FSMO role, but does not consider it to be valid. This may have come about some time ago when I had a DC crash and had to sieze the roles.

U:\>netdom query fsmo
Schema owner                proliant-dl360.daveathome.org

Domain role owner           proliant-dl360.daveathome.org

PDC role                    proliant-dl360.daveathome.org

RID pool manager            proliant-dl360.daveathome.org

Infrastructure owner        proliant-dl360.daveathome.org

The command completed successfully.

Replmon also shows that replication seems to be working. The old DC will never return, so can anyone tell me how I can get this DC to consider the schema to be valid or how else to recover the situation please ?

regards

Dave

Creating AD Sites

May 27, 2015, 12:52 am
$
0
0

Hi, Guys

 Please I have a small project and I was wondering if anyone can help, cuz  it is kinda new to me creating AD sites,Child domain or tree to a forest domain. 

We have  4 sites with each running windows 2012r2 domain server and our main head office having 2domain controllers-PDC and SDC, My question is how do I go by creating a sites to link the other 3 sites to our main office and also what are things such as RODC, replication and trust relations that I should be  aware of in terms of security .....

Thanks guys for you help, link or steps provided.

Capture Hostname in LDAP Trace

May 26, 2015, 7:17 am
$
0
0

I am planning a domain controller upgrade, and the name of the server will change. We have a DNS Alias (C-NAME) configured for LDAP use, so that anyone making LDAP calls against our domain controllers should not be impacted by this upgrade. However, I have found that some applications are configured to use the host name of the DC instead of the alias I have configured.

Is there a way to capture information about LDAP calls to the domain controller via hostname vs the alias? I can use NetMon to capture traffic on port 389, but that doesn't tell me what DNS Entry the host used to get there.

Thanks

Search

Remove phantom DNS Server - Windows Server 2003

July 30, 2010, 3:22 am
$
0
0

Hi,

I am trying to clean up my DNS setup and have another question - I've just had some very helpful responses to my post about ADI, so, hopefully, I'm on a roll !

Some time ago, I had a DC/DNS Server fail. I built another machine and added a replacement DC/DNS machine. I had a few problems along the way, but think things are back working much the same as before. (I had to sieze the FSMO roles, but things looks OK(ish).

I'm not sure whether it was during that process, or when I installed SP2, but I am seeing a lot of 4521 Errors in Event Viewer ("The DNS Server encountered error 9002 when attempting to Load one . from Active Directory.....". I don't have the root . zone, but think that the error may have something to do with the old DNS Server ?

In the MMC DNS Snap-in, under Forward Lookup Zones, below the Domain Name, the IP address of the old DNS Server (which has been removed and will never reappear) is shown as an A record in domaindnszones and forestdnszones.

Questions.

Could this be causing the 4521 Errors ?

Either way, is it safe to delete these orphan A Records ?

regards

Dave

 

 

 

 

Active Directory user permissions

May 27, 2015, 3:06 am
$
0
0

How can we grant user to have have full read/write permission on Active Directory?

The trust relationship between this workstation and the primary domain failed

February 15, 2013, 2:57 am
$
0
0

In windows xp professional user got error like The trust relationship between this workstation and the primary domain failed while log in can any one help me its very quit urgent

The user can able to login when he remove the network cable, but he can't use any share printer or share folders. I try to login using domain admin credentials but still no luck, I forget local administrator password for this pc.

feroz syed ;)

Schema Extension from 2003 R2 to 2012 R2

May 27, 2015, 5:52 am
$
0
0

Hi all,

I run schema extention over a wide forest with 5 domains. Before running /forestprep  I first stopped replication in one domain controller of each domain including root domain by running "Repadmin /options +disable_inbound_rep +disable_outbound_rep".

I also do the same on the schema master. After I run forestprep and check ObjectVersion Over all DCs in the forest it was 69 (2012 R2).

How did this hapen for the DCS where the replication was still disabled over  ?

Does the command Repadmin "/options +disable_inbound_rep +disable_outbound_rep" disable immediatelly the replication or KCC needs to be also run to calculate the new replication topology. And then the replication is off for thats DCs.

Thanks experts for your answers.

Best Regards

Mustapha EL HACHIMI

ADFS proxy error: An error occurred when attempting to establish a trust relationship with the federation service

May 27, 2015, 11:03 am
$
0
0

I have windows 2012 R2 Federation server but trying to add an ADFS proxy server (WAP) which runs on windows 2012 R2 server. I keep getting the above error. I have research and the certificate is right yet, i keep getting same error. The proxy server is not even in the DMZ, there is no firewall between them. any help?

This is the complete error:

I have windows 2012 R2 Federation server but trying to add an ADFS proxy server (WAP) which runs on windows 2012 R2 server. I keep getting the above error. I have research and I the certificate is right yet i keep getting same error. I used net mon to monitor the traffic and i could not see any connection or attempt to communicate with the Federation server. The proxy server is not even in the DMZ, there is no firewall between them. any help?

Trying to run using Powershell got this error:

Install-WebApplicationProxy : The certificate that is specified by the CertificateThumbprint parameter could not be
found in the Local Computer Personal certificate store.  Check the thumbprint value and ensure that the desired
certificate is installed in the Local Computer Personal certificate store.
At line:1 char:1
+ Install-WebApplicationProxy –CertificateThumbprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], DisplayableArgumentException
    + FullyQualifiedErrorId : PrerequisiteTest,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand

Jose Chavez IT Manager

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>