Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD Replication Failed - Parent-Child Trust

September 9, 2015, 10:05 am
$
0
0

Hi,

One of my customer has a AD forest which contains three domains. It has root domain and two child domains. We are having problems with only one child domain and parent domain. Replication failed in between these two domains. Root domain installed on Server 2012 R2 and child domain on Server 2008 R2.

Customer said that this issue occurred just after deleting the Parent-Child trust between the domains. This was done by some engineer from a different company to overcome an issue while he was installing a service pack for Exchange 2010. Anyway the deletion performed by using ADSIEdit. After deleting the parent-child trust, Exchange setup was successful and he created the trust again but it was a External and non-transitive trust. According to the customer, this can be true as well.

Now, replication between the parent and child domain doesn't occur and there are so many errors if I mention. If I am stating few commonly noticeable issues are:

  1. "NTDS Settings" object is missing in the AD Sites and Services console (Parent domain side)
  2. "NTDS Settings" object is present in the AD Sites and Services console (Child domain side) and once I select the "Replicate Now" option it gave me an "Access Denied" Error.

So, Please be kind enough to let me know a solution for this issue.

Regards,

Thisaru Perera.

Search

Client & AD Certificates

September 4, 2015, 5:13 am
$
0
0

Hi All,

Few Days Back we just migrate from Google Apps to Office365.Every things seems to be working fine except Offline Address Book.Offiline Address Book is not able to download just going in send and receive process and produce timeout error.

We just raised Service Request to Microsoft and below is their findings which they send on email.

Issue Definition:

Your users are not able to download Offline Address Book from Outlook. OWA is not affected. The Autodiscover Test from Microsoft Remote Connectivity Analyzer is successful. With a domain user logged on a domain joined machine, the issue can be reproduced from local network and from outside. With a machine not joined to the domain, the OAB can be downloaded without any problems. The issue is present for all users. For troubleshooting reasons we chose user:osama.mansoor@crescent.com.pk

Steps performed so far:

We ran again the Autodiscover testfrom Microsoft Remote Connectivity Analyzer and was successful.

We made the AutoConfiguration test from Outlook 2013. Test was successful and provided the same URL for OAB:https://outlook.office365.com/OAB/df3bf201-d31f-4a69-e51dcf5daa09/

We tested in the IE the OAB link: https://outlook.office365.com/OAB/df3bf201-d31f-4a69-e51dcf5daa09/OAB.xml. We were able to access the XML after entering the affected user’s credentials.

In Outlook Web App the issue is not present.

We started the ETL logging for Outlook 2013 and ran the Fiddler Trace Application to capture the HTTPS traffic decoded.

With Fiddler Trace running the issue was solved. Fiddler Trace application installed a certificate for decoding the HTTPS traffic. After removing the Fiddler Trace certificate the issue came back.

Steps to be performed:

Please send me by email the files collected in our LMI session.

We conclude that issue is not Office 365 related. Please check the following in your internal network:

  1. verify the certificate installed for users from local AD.
  2. if you have proxy, check if the OAB request is allowed to pass.
  3. check that the Background Intelligence Transfer Service (BITS) service is running on the affected machine: http://blogs.technet.com/b/ehlro/archive/2014/03/21/oab-download-and-bits-service.aspx
  4. please be sure BITS service is not blocked at proxy / firewall level.
  5. please check local AD policies that can be related with BITS and certificates.

MY Question :

Can someone help me how can I check is localAD certificate having this problem or not ?

Active directory deployment licenses

September 10, 2015, 2:30 am
$
0
0

Hi all,

I am planning for  active directory deploying in our organisation, we have the following infrastructure:

TUR64 Unix PC

Windows XP PC

Printers 

3 Vlans 

Which license should I have to do this work?

We will deploy some restrictions for a security reasons (Block USB, disable running software programs in some PCs...), did we need additional licenses to configure the group policies like scripts ?

Regards,

Jlassi Fida 

Delegation of security permissions

September 10, 2015, 3:03 am
$
0
0

Hi

Need to know, if we have to delegate the below two permissions indivisually what needs to be delegated on an OU

1- Reset  Computer Account

2- Enable & Disable  Computer Account

Regards Sushain KApoor


failed to authenticate to DC (event ID 3210)

May 22, 2015, 1:05 am
$
0
0

I´m troubleshooting different Workstation slowness scenarios, and one of the conserning event ID is 3210 which indicates some authorization issues between Client Computer and Domain. Also group policy errors (lack of connectivity to domain controller) follows this error.

I´m tryng to solve this event ID 3210 issue without succsess, so far I´ve done:

- Ports are opened between Client and DC (I ran portQui tests)
- Computer is patched 100%, also KB2958122 included.
- Computer account deleted, Computer re-joined to domain


Netlogon folder missing after dcpromo of 2003 server

September 10, 2015, 10:47 am
$
0
0
We had a single domain controller on a 2003 server. Installed a 2012 Server and followed TechNet article to promote it as the DC and the demote the 2003 server. After running dcpromo on the 2003 server, the Netlogon folder was not created on the new 2012 DC. What are my options?

Query AD for Users that are members of the Domain Admin and Exchange Admins

September 19, 2012, 10:59 am
$
0
0

'm currently looking for some assistance in generating a LDAP query or a Powershell Command to separately  list:

1) All Users That Are Members of the  Domain Admins only

2)All Users That Are Members of the Exchange Admins

Can any one provide some assistance.

Regards, 

Shiv

Shivanand Sinanan

Shivanand Sinanan

Superscript Character in FullName Property in AD

September 10, 2015, 12:56 pm
$
0
0

I am trying to put a superscript character in AD in the Name attribute, however it displays it as a normal character.

What are the limitations of value for AD Property?

For God, and Country.

Search

How do I disable trust relationship resets in Active Directory?

September 10, 2015, 2:30 pm
$
0
0

Hi there,

I'm running some simple network tests with virtual machines connected to a parent and child domain in Active Directory. I'm attempting to test cross-domain communication, but whenever I revert my virtual machines, the trust relationship goes stale or I get locked out of my machine, stating the following error message: "The trust relationship between this workstation and the primary domain failed."

To my knowledge, this is due to the password database on the domain controllers and keys used to establish a trust relationship to access those passwords for authentication going out-of-sync with the reverted node. I'm aware of the workaround for this (a short script for requesting a password reset), but this takes time and can harm my tests if I need to revert to a state (as my state is then modified). For the purposes of my tests, I only require that my trust relationships are not reset (the security feature of resetting the trusts is not needed). Is there any means of disabling this feature for my tests?

Thanks,
Gareth 

First remote computer setup

September 10, 2015, 6:52 am
$
0
0
This is my first remote computer setup in a WS2012R2 system.  I have set up a remote computer in a Windows 7 Pro computer by selecting the Domain: mysite.com and restarted.  Now the computer shows up in WS2012R2 Active Directory Users and Computers.  I assign the remote computer an IPv4 address.  I can not get the remote computer to go online and list the IPv4 address or the operating system.  How do I get the remote computer online?

AD Sites & Services: Server Removal

September 10, 2015, 7:49 am
$
0
0

Current environment:

  • 5 sites
  • 2 domain controllers in the primary site A
  • 1 domain controller in each of the other sites B,C,D,E.  No other servers in sites B,C,D,E

Objective:

  • Remove DCs in sites B - E

Questions:

  1. Do the DCs in sites B -E have be DCPROMO'd out before being able to remove them from their sites?
  2. If they have to be DCPROMO'd out before removing them from their sites, will the KCC automatically refer those sites to primary site A for AD services (authentication)?

TIA

What's the correct answer

September 10, 2015, 10:10 am
$
0
0

Here is the question:

A company plans to synchronize users in an existing Active Directory organizational unit with Office 365. You must configure the Azure Active Directory Synchronization (AAD Sync) tool with password sync.
You need to ensure that the service account has the minimum level of permissions required.
Which two permission levels should you assign to the account for each task? To answer, select the appropriate permission level from each list in the answer area. 

Event ID 1302 (error 1307) DFS replication service encountered an error while writing to the debug log file

September 8, 2015, 10:51 am
$
0
0

Hello.

We are at the step 0 of the migration from FRS to DFSR sysvol replication on Windows 2008R2 DC.

Every time I run powershell DFSRMIG / GETMIGRATIONSTATE it says:

"Unable to create DFSR Migration Log file. Error 1307.

All Domain Controllers have migrated successfully to Global state 'Start'.

Migration has reached a consistent state on all domain Controllers.

Succeeded."

It creates an event ID 1302 in the "DFS Replication" event log, explaining what error 1307 means:"This security ID may not be assigned as the ownder of this object".

I already checked the space limits, quotas, permissions on C:\windows\debug according to Microsoft support article but I was unable to fix it.

Although, there are new entries added to DFSR00095.txt log file despite this error. This is the only DFSRXXXX file that has not been archived into .GZ format, and, I beleive, it contains all DFSR diagnostics and events.

Here are some of the latest entries:

20150908 08:47:27.867 11616 SYSM  3354 Migration::SysVolMigration::GetSysVolReadyFlag [MIG] Sysvol Is Ready
20150908 08:47:27.867 11616 SYSM   456 Migration::SysvolMigrationTask::Step [MIG] Starting sharing out NTFRS SYSVOL because globalState is 'Start'
20150908 08:47:27.867 11616 CREG  2457 Config::RegWriter::SetSysVolReadyFlag Set key:System\CurrentControlSet\Services\Netlogon\Parameters valueNameSysvolReady value:1
20150908 08:47:27.867 11616 SYSM  1045 Migration::SysVolMigration::Migrate [MIG] Migrate to state 'Start'
20150908 08:47:27.867 11616 SYSM  1056 Migration::SysVolMigration::Migrate [MIG] Begin migrate count:1
20150908 08:47:27.867 11616 SYSM  4836 [WARN] Migration::SysVolMigration::SetLocalStateInLocalAd [MIG] (Ignored) Local Settings does not exist because DC is in START state.
20150908 08:47:27.867 11616 SYSM  1144 Migration::SysVolMigration::Migrate [MIG] Begin migrate: migration to state 'Start' completed
20150908 08:47:27.867 11616 SYSM  4376 Migration::SysVolMigration::DeleteRoMember [MIG] Deleting DFSR member object
20150908 08:47:27.867 11616 SYSM  4396 Migration::SysVolMigration::DeleteRoMember [MIG] Current global state is 'Start



I am hesitatnt to start the Step 1 of migration until that error is fixed or determined to be benign...  Please, help!

Slava

remove crashed RODC

September 4, 2015, 2:32 am
$
0
0

we had a RODC which was crashed. its not even booting up and its totally dead.

How can i remove it from the PDC since on the AD replication status tool shows errors. 

Server 2012 R2

Download ADMT Setup x64

September 9, 2015, 12:03 am
$
0
0

Hello,

Does anyone knows if there is a version of ADMT which can be run on x64 machines?

On the Internet until now I found only the version for x32 bits.

Thanks in advance.

Kind regards,

RD

Search

Multiple updatepassword endpoints?

September 10, 2015, 8:34 am
$
0
0
Hello friend.  Is it possible to create multiple endpoints that all point to the self-service password reset page in adfs 3.0?  I've enabled it following MS instructions but I'd like to create multiple endpoints with different fullurl addresses but all point to /adfs/portal/updatepassword.  Please advise.

RPC error remote Event Viewer/remote dcdiag

August 28, 2015, 7:42 am
$
0
0

Hi All,

I am writing a code to perform active directory health check. When I perform dcdiag /s:<server name> /test:kccevent i get results for 80% of servers. While on few Domain controller it shows failed with RPC error. While the same test is passed locally. All  other results except FRSevent, KCCevent and DFSRevent are fine.

I want to be more prepared before i reach to the network guy to open port (135) for few sites where issue is occurring. Can you guys tell me the if anything else can cause this? 

Also if I will appreciate, any suggestion on any other important test result to be added here, except dcdiag?

Thanks - Alok


Need to issue a SHA256 certificate from a CA with a SHA1 chain

September 4, 2015, 4:44 am
$
0
0

I have searched a number of forums to find the answer to this.

My CA is based on Windows Server 2008 SP2.

I have found many answers which state that you need to edit the registry in order to get the CA to issue SHA256 certificates, but if this is the case then why is there a Hashing Algorithm setting on the Cryptography tab of the Certificate templates.

This does not appear to do anything.

Any ideas anyone?

Thanks

JF

Moving from a .local to .com - Domains and Trust ad.company.com is setup but uncertain of next step

September 8, 2015, 10:47 am
$
0
0

The domain in question is currently a .Local Active Directory Domain (company.local).  In order to get external certificates to function properly, we need to roll it over to a AD.company.us.  I realize that completely hosing the Domain is one way of going about this, but from what I've read I can also create a new UPN Suffix (Domains and Trusts) domain to accomplish this.

Scenario I have:

Current Domain: company.local

New UPN Suffix in AD Domains and Trust: ad.company.us

Username: tuser

I then go look at a user account properties, I can see my new @ad.company.us UPN listed in the drop down.  I select that and jump over to the machine.  My thought process says I need to add this account to the machine, which would prompt me to do the following:

Hit the client machine, go through System Properties > Network ID > Add the User & Machine to the Domain.  Upon doing so, I receive the following error message: 

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "AD.COMPANY.US":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.AD.COMPANY.US

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.0.251
192.168.0.250

- One or more of the following zones do not include delegation to its child zone:

AD.COMPANY.US
COMPANY.US
US
. (the root zone)

Reading through the message tells me a couple of things.  It could be a lack of an SRV record for AD.COMPANY.US, but it states in the response that they're automatically added.  I've created an Internal Lookup Zone with AD.COMPANY.US (I'm not sure if this plays into any success/failure). 

Am I heading down the right path for making servers work with .AD.COMPANY.US?

AD Schema - duplicate classchema object

September 10, 2015, 10:44 am
$
0
0

Hi,

at a customer site there is a multidomain forest, one Schema master, sure :-).

The Default Security Permissions for the classschema object "user" is not an option.
In the Default Security Permission there are Domain-Admins and so on.
The Multi Domain Forest contains a lot of companies and is managed by an external Service Provider.
If we create new User Objects and Organizational Units for the datacenter,
every object is in full rights by the external Service Provider and we have to correct this.

For 30 000 Users and a lot of changes, also no Option.

I Know how to create a new classschema, but how can i add a new user in the domain

of the subforest that uses the new created class?
Got same subclass but commands like dsadd do not accept a classschema that i defined.

Is it possible to modifiy the dsadd function?

Got test Environment, so don´t hesitate to give me a hint.
I cannot find anything in mcse documentations, Internet and Tools like adsiedit do not have this Option...

Thanks for ideas!

Bye Mathias Rühn


Viewing all 31638 articles
Browse latest View live
Search