Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

2DC's nltest query works on one, sc_query fails, converse on other DC

May 14, 2015, 4:08 pm
$
0
0

Server 2012 DNS-integrated AD:

DC1 nltest /query results in:

Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

nltest /sc_query:domiainname results in:

Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\dc2.domainname
Trusted DC Connection Status Status = 0 0x0 NERR_Success

DC2 nltest /query results in:

Connection Status = 0 0x0 NERR_Success

nltest /sc_query:domainname
nltest : I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

dcdiag /test:dns results are pass pass pass warn (with missing AAAA records)

IP Addresses are publicly routable, behind firewall, GPO is set to disable IPv6to4.  IPv6 records have been removed from DNS and DNS is not set to listen on any IPv6 connections.

Search

Demoting a DC using dcpromo

May 20, 2015, 10:48 am
$
0
0

I am trying to demote a DC that runs 2008r2 but am getting the following:

The operation failed because:

Managing the network session with XXXXXXXXX.XXXX failed

"Logon Failure: The target account name is incorrect"

What is the Target account name its having trouble with?  I entered both my admin credentials and also entered the AD DS password when prompted.

Francisco Mercado Jr.

Security groups cross forest trust

January 30, 2013, 11:02 am
$
0
0

Hi,

I have multiple forests, some of them has forest trust [transitive] and the others are external trust.

I created security group A in one of the forest and I want to add [domain users security group] from another forest to security group A.

How can I do it?

Thanks, Shehatovich

AD LDS setup problem in a DMZ

May 5, 2015, 5:07 am
$
0
0

Setting up AD LDS on Windows Server 2012 R2 within a DMZ and having problems get the initial sync to work.  So far I have LDS installed and a new Instance created and running fine, also extended the schema using theMS-adamschemaw2k8.LDF command.  As this is in a DMZ the server has no DNS to the internal AD.  So i have added an entry to the Host file with the IP address of a DC and the DNS name of my domain ie 10.1.1.1 local.mydomain.co.uk and this is pingable from my LDS server.  Also i have allowed the LDS server through the firewall to that DC on ports 389 and 636(this will be locked down to 636 once i have it working).  I have setup a new MS-AdamSyncConf.xml in a new location with the following settings changed:

  • <source-ad-name>local.mydomain.co.uk</source-ad-name>
  • <source-ad-partition>DC=Local,DC=mydomain,DC=co,DC=uk</source-ad-partition>
  • <source-ad-account>administrator</source-ad-account>
  • <account-domain>local.mydomain.co.uk</account-domain>
  • <target-dn>DC=Local,DC=mydomain,DC=co,DC=uk</target-dn>
  • <base-dn>OU=DC Users,DC=Local,DC=mydomain,DC=co,DC=uk</base-dn>

I have imported this with the command adamsync /install localhost:389 c:\lds\MS-AdamSyncConf.xml which worked fine and then ran the sync command as follows adamsync /sync localhost:389 DC=Local,DC=mydomain,DC=co,DC=uk /log c:\lds\synclog.txt

Then when I look at the log file I get the following results with error messages:

Adamsync.exe v1.0 (6)

Establishing connection to target server localhost:389.

There is already an active sync session in progress. 

Please allow the session to complete, or use -mai to seize the role.

Saving Configuration File on DC=Local,DC=mydomain,DC=co,DC=uk

Saved configuration file.

ADAMSync is querying for a writeable replica of local.mydomain.co.uk.

Error: DCLocator call failed with error 1355. Attempting to bind directly to string.

Establishing connection to source server local.mydomain.co.uk:389.

Ldap error occured. ldap_bind_s: Invalid Credentials. 

Extended Info: 8009030C: LdapErr: DSID-0C0904FB, comment: AcceptSecurityContext error, data 52e, v2580.

Ldap error occured. ldap_bind_s: Invalid Credentials. 

Extended Info: 8009030C: LdapErr: DSID-0C0904FB, comment: AcceptSecurityContext error, data 52e, v2580.

Please can someone help.

Thanks


DC failed to authenticate it's own computer account?

May 28, 2015, 12:46 am
$
0
0

Hello everyone,

sometimes these two events are logged on my DC1 (W2K8R2, it holds all FSMO roles):

Kerberos pre-authentication failed. Domain is obscured.

Account Information:
Security ID: DOMAIN\DC1$
Account Name: DC1$

Service Information:
Service Name: krbtgt/DOMAIN

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

and

The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: DC1
Source Workstation: DC1
Error Code: 0xc0000064

They occure sporadically. Sometimes a few hours, sometimes a few minutes. But if they are logged around 20 times per second. At the same time, these two events are logged in System, but instead of 20 times only once.

A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time: 7:4:54.0000 5/28/2015 Z
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: host/DOMAIN
Target Name: host/DOMAIN@DOMAIN
Error Text:
File: e
Line: a05
Error Data is in record data.

A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time: 7:4:54.0000 5/28/2015 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: host/DOMAIN
Target Name: host/DOMAIN@DOMAIN
Error Text:
File: e
Line: a05
Error Data is in record data.
 

dcdiag is OK, except the system log.

Any idea?


Migrating Global / Domain Local Groups And Users

May 27, 2015, 7:15 am
$
0
0

In the official Technet article for an inter-forest migration, global groups are being the ones to be migrated first, followed by user accounts, then by domain local groups.

It's clear why the global groups must go first, due to the open-set concept and the fact that migrated users won't be able to reference their parent groups since they don't exist as yet.

1. There's no mention of universal groups - but most likely they would have to be treated in the same timeframe as global groups, right ?

2. Why not have the domain local groups migrated at the same time as global groups, but postpone this instead until after the user accounts are migrated ?

DAC user Claims not retrievd on my client

May 27, 2015, 8:11 am
$
0
0

hello

i have created correctly the DAC claims on ADAC Windows server 2012 , i use only department and office, i populate them on each user in active directory attribute, i have configured the KDC and kerberos armoing on domain controller and client, but it take a long time to see claims on my Windows 8.1 client with whoami /claims..any idea , or a way to force them , i use active directory to replicate configuration partition on all my DCs.

i have one forest, with one domain and three sites with 2 DC in each...., wan link 10MB/s

thank you 

how to import the users from one domain to other domain?

May 27, 2015, 3:59 am
$
0
0

Hi, i want to export and import the users from one domain to other domain. I am able to export the users but while import the users in other domain i'm getting the below error. I have changed the domain name and ou as required for destination domain.

C:\>csvde -i -k -f Exported.csv
Connecting to "(null)"
Logging in as current user using SSPI
Importing directory from file "Exported.csv"
Loading entries.
Add error on line 2: Invalid Syntax
The server side error is "The parameter is incorrect."
0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

Can anyone help me on the above issue?

Thanks

Thanks Ravitej Reddy

Search

The Integrated Windows authentication endpoint is missing on the internal metadata document.

May 27, 2015, 11:41 pm
$
0
0

Hi,

Using the Remote Connectivity Analyzer, I'm getting the following error when testing SSO:

Analyzing the ADFS metadata document for configuration problems.
     Errors were found while analyzing the ADFS metadata document.
         Additional Details
             The Integrated Windows authentication endpoint is missing on the internal metadata document.

I have followed the kb articles related to this:

https://support.microsoft.com/en-us/kb/2712957

https://support.microsoft.com/en-us/kb/2647048

I checked all the AD FS endpoints, and I "repaired" the domain. Any idea what else it could be?

Thanks, Chris

Active Direcotry user attributes disappears after sometime after being updated

May 28, 2015, 1:23 am
$
0
0

Hi,

Recently I am being floored by a strange issue. When I update the mobile attribute of a user account properties, it updates and I can see it updated but aftersome time it disappears.

If I do repadmin /objmeta domain-controller <DN path>, I can see that it updates....

I have even tried it from the server holding the PDC Emulator role, no luck.

Worth directly updating the schema? (I know it's not the way to go...:))

Anyone came across similar issues?

Regards,

Ochen

Promoting Server 2012 in a 2008 R2 Domain failed

May 27, 2015, 10:22 am
$
0
0

Trying to promote a new Server 2012 as a Domain Controller in a 2008 R2 Domain.  In the domain currently, there are 2 Server 2008 R2 and 1 Server 2012 already.  I want to add a 2nd Server 2012 and eventually demote one of the Server 2008 R2.

When trying to promote the new Server 2012, I get the following:

Verification of prerequisites for Active Directory preparation failed.  Unable to connect to the replication source domain controller xxxx.domain.com

Exception: The user name or password is incorrect.

I checked the user name and password 5 times already and know that it is the right now.  The user is also an Enterprise Admin, Domain Admin and Schema Admin.  

What am I missing here.

Appreciate any help.

Vince

External Domain Trust restricting authentication to a single DC.

May 27, 2015, 1:24 pm
$
0
0

I have a one way domain trust that is periodically having problems authenticating users and occasionally times out users that have logged into the application successfully with remote domain credentials. I think this has to do with the fact that only a single domain controller is available over the network and if you nslookup company.local it returns all domain controllers even DC's that cannot be routed to. What I think is happening is that it hits each one of the domain controllers that DNS returns and has to timeout before it reaches the DC that is in the same network as the servers that it needs to authenticate for.  My question is that with a domain trust is there a way that I can limit authentication request to a single DC or a group of DC's that I choose or is DNS the authority for all of this.  I have done this in the past by exporting the zone from the remote DC and importing it in as a primary zone on a local DNS server and deleting all the records for servers that there is no connection to. I  would rather do it in a way that I wouldn't need to manage the clients DNS.  Any help is appreciated.

This is a link to how I've done it in the past: http://www.neomagick.net/zen/2008/11/30/using-dns-to-force-a-domain-trust-through-a-specific-domain-controller-dc

I just would like to find a better way.

Thanks

Buddy

Global Catalog error

May 22, 2015, 7:10 pm
$
0
0

hi ! excuse me sir, could you help me to solve problem that happen when i create a new domain tree root in stead of a new child domain, i meet this problem:

Additional Data 
Error value:
1355 The specified domain either does not exist or could not be contacted. 
Internal ID:
3200e25 

User Action: 
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

1. what should i do to solve the problem?

2. Must we install Global Catalog to all domain controller ?

Change Last name or create new account

May 28, 2015, 3:02 am
$
0
0

Hi all,

We have a colleague who has married and changed last name. My question is what is microsoft recommendation is this case? Shall we create new user name and mailbox or is it okay to chage last name only and change it in user login name and mailbox?

Thank you in advanced. 

Active Directory Error

May 28, 2015, 6:43 am
$
0
0

Hello,

I'm creating users in Active Directory using pl/sql (Oracle) with userpassword attribute, but it looks like the password of this users is not set, because the userAccountControl attribute is 546.

When I try to change userAccountControl attribute, I'm getting this error:

DSA is unwilling to perform. 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

Thanks in dvance for your help.

Search

Subject: Error Message - "Permissions on "domain name" are incorrectly ordered"

May 28, 2015, 12:22 pm
$
0
0

Subject:  Can’t perform AADSYnc because of permissions problem

Environment: WS2k3 functional forest with empty root and child domain. The root consists of all WS2K8R2 SP1 64 bit DCs.  The child domain has the bulk of the user and computer accounts and a mix of WS2K8R2SP1 64 bit and WS2K3SP2 32bit DCs). Can’t upgrade the remaining WS2K3 DCs till legacy software is replaced.  Soon I hope. 

Objective:     To AADSync user accounts up to O365.

     Proposed Procedure:  Add the following permissions to the AAD Sync service account

        + On aWS2K3 DC in the user accounts domain, open the Active Directory Users and Computers snap-in

        + On the View menu, click Advanced Features.

        + Right-click on the user accounts domain object (such as "my.company.com"), and then click Properties.

        + Click on theSecurity tab, click Add and type in the AD service account we created earlier.

        +Click to select the Replicating Directory Changes and Replicating Directory Changes ALL check box from the list.

        +Click Apply, and then click OK.  Close the snap-in.

     Problem: WS2K3 DC

          +When I click on the Security tab, the following error pops up:

                  The permissions on “user accounts domain name” are incorrectly ordered which may cause some  entries to be ineffective.  Press OK to continue and sort the permissions correctly.

          +When I click cancel, the error message disappears.  The security tab is still selected. The only group listed is the Everyone group, with listed permissions of Full control (so under Permissions for   everyone, all permissions are listed with their Allow box checked.). The Add button appears to be active.

     Problem: WS2K8R2 DC

         + When I click on the Security tab, the same error pops up:

                 The permissions on “user accounts domain name” are incorrectly ordered which may cause some entries to be ineffective. Press OK to continue and sort the permissions correctly.

          + When I click cancel, the error message disappears.  The security tab is still selected. The normal groups are listed with normal permissions (at least of the ones I checked). Add and Remove buttons are greyed out. Advanced button is active.  When I select it, on the subsequent Advanced Security Settings screen, Permissions tab, the ADD button is greyed out.

Otherwise, domain is normal.  

Can't find similar problem for domains in MS Premier knowledgebase.

Similar error messages are in knowledgebase but for folders not for a domain.

Any ideas as to cause, resolution?  Should I just hit – OK to sort the permissions correctly? Or could that cause significant damage?

Thanks for your input!

Rebooting Primary Domain Controllers and Backup Domain Controllers after Windows Updates

May 28, 2015, 9:56 am
$
0
0

Hello,

I have recently been tasked with developing an update strategy for about 60 Servers. To date I have really only created update strategies for client pcs. The environment is a mix of 2008/2008R2/2012R2 with a functional level of 2008R2. In my experience running security and critical updates is not an issue as long as you test but there is one question I cannot find a definitive answer too and that is with the primary domain controller, the two backup domain controllers is there any order they need to be rebooted in? The primary holds all the FSMO Roles and logic tells me it should not matter what order they are rebooted but I want to make sure before I start rebooting.

Thanks in advance! 


Maximum user object size question

May 28, 2015, 9:44 am
$
0
0

Greetings distinguished colleagues,

I was asked a question today, and the answer eludes me.  A user wants to have a shared mailbox on an Exchange 2010 server, with 1000 email alias's.  

These alias's are going to be stored on the users AD object under the field "proxyAddresses" and "msExchShadowProxyAddresses".

I know there has to be a size limit for what can be stored in active directory objects in these multi value fields, but I am unable to find a reference to such an answer.  I see on the webs where several people have recommended no more than 250 per account, but I cant find any reason / science / rules behind their recommendation, other than what appears to just "feel" right.

Anyone have any idea and a link to a MS resource that spells out limits per individual user objects in AD?

Thanks for any insight

GPO - Local admin account and password settings

May 28, 2015, 12:16 pm
$
0
0

I am trying to set the local user account to an alias and set the password. I have found the policy I need to modify and have successfully but I can not enter and confirm the password.  Why would this be?  I am a member of both the Enterprise and Domain Admins group.

I need AD design advice for a lab domain.

May 28, 2015, 1:47 pm
$
0
0

Hi.  We are a small company with a domain that has our users and applications we use for production.  We want to stand up an environment that is strickly for "playground" type testing of a lot of different hardware/software.  Nothing in this lab envronment needs access to anything in the company domain, but it would be nice to manage the Domain Admin accounts from the company domain.   For example is it possible to have a group in the Company Domain called "Lab Domain Admins" in which I can assign Company Users as Domain Admins of the Lab Domain.  This way they can manage AD, DNS, ect using the special account in the Company Domain.   Is this possible?  We have tried to accomplish this with a 1 way trust and we have been unable to give AD Domain Admin authority to a Company Domain User.  Should we be going about this a different way?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>