Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

FRS Service Stopped

September 1, 2015, 9:53 pm
$
0
0

Dear,

I have three domain controllers 2008 (one PDC and 2 are ADC). The FRS service automatically stopped in all these servers and when i restarted the FRS service , it generate the error in events " the donain controller is migrated to DFS for Replication of  SYSVOL folder".

However no Sysvol_DFRS folder is created in my domain controllers .. 

So i could not able to understand wheather it is the issue or not. 

second should i migrate my all other domain controller trees of the same forest to DFRS (is it good , and what is the risk level in doing this). 

Waiting for response, 

This is the very active forum where i always get solution.. thanks to Microsoft and contributors.. 

Wajahat

Search

SQL Login Issue

September 30, 2015, 7:08 pm
$
0
0

Good evening,

I get this error when trying to login to SQL 2012 from a Windows Server 2008R2 server.

The target principal name is incorrect. cannot generate sspi context

What is odd is this, I can connect to the other instance on the SQL server just fine.  I can also connect to this instance from ANY other machine other than the our Team Foundation server...  That Team Foundation server can connect to our instance for Team Foundation but not our SharePoint instance. 

I have tried

klist /purge

ipconfig /flushdns

I don't see any other errors besides the one above.  I think I might have to start doing some tracing.  I could reboot the server but I would rather get to the bottom of this.

Any ideas?

-Tim

Large Backlogged SYSVOL

September 30, 2015, 2:44 pm
$
0
0
After converting completely to Active Directory DFSR on Windows 2012 servers, I am seeing Large Backlogged Connections  on my RoDC's SYSVOL. I believe this is leftover remnants from FRS, how do I tell and how can I clear out these logs if it is?

Event ID 364

October 1, 2015, 12:34 am
$
0
0

I keep getting the following error on both of our ADFS proxy servers.

Our setup is the following,

2 NLB ADFS Proxy servers, with 2 ADFS servers with there own NLB. These errors occur regulary throughout the day but the setup seems to be working fine from an end user perspective.

Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.AuthenticationFailedException: MSIS8108: Authentication failed.
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

Event ID 256, 257 , 457 Error

September 30, 2015, 11:59 pm
$
0
0

Dear

In my root domain server, three errors occurred in Application log 

Event ID 256, Cryptography service failed to initialize the Catlog Database, Access is denied

Event id 257, Cryptography service failed to initialize the Catlog Database, The ESENT error was:4001

Event ID 412, Unable to read the header log file

I have tried to repair the catroot2, as mentioned in following article , verification checked was successful and found no integrity error

        http://social.technet.microsoft.com/wiki/contents/articles/13827.windows-server-2008-event-id-257-system-catalog-database-integrity.aspx

The only error i have seen that in logs is -528 (log file is missing ), i checked at %systemroot%\system32\catroot2  the ebd.log is not there , however other files like edb600a, .... edb700A.log  exist, However when i tried to open latest log file i.e. ebd0007A.log file , access denied error is occured. 

because of this access denied, i cannot follow the instruction to create new Folder Catroot2.old as mentioned in the article. 

I have also disabled my antivirus on this sever.

Require a help in this regard 

Wajahat

Repetitive Event ID: 1309 Warning Web Event that is being generated over 50 times in a 24 hours

September 30, 2015, 5:12 pm
$
0
0

Hi,

The Event ID: 1309 keeps being generated in my Windows 2012R2 server, and the worrisome part is this:

Exception message: A potentially dangerous Request.Path value was detected from the client (&).  

at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()

   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

 

I appreciate any professional suggestion.

Thanks

WF2016

Replication error Between Two Domians

September 7, 2015, 12:56 am
$
0
0

Dears,

I have two Domain controllers installed between to sites, when I run repadmin /replsum the data collection for replication summer will show me operation encountered a database error, I thing this issue related to NTDS database corrupted, kindly any advice for solution. based on my search I have found recommended to see log files for 467 for NTDS corrupted, if the NTDS database corrupted how can I fixed?

Thanks..

ADFS and office 365 - Diferent ad domain name and mail domain name

September 21, 2015, 11:11 am
$
0
0

Hello i am facing a problem, i am using office 365 as my exchange provider and now i want to synchronize AD with it, the problem is that the domain names and nomenclature for both of them are completly different:

AD: jjames@domain.com

O365:jhon.james@domainname.com

I was looking at alternative login ID but i am not sure if it will help or if i am doomed to migrate one of them...

Any ideas?

Thanks!

Search

One-way trust between 2012 R2 forest root and a child domain

October 1, 2015, 10:10 am
$
0
0

I understand that in a 2012 R2 forest a two-way trust is automatically created between the root and each child domain.  Is it even possible to change the root - child domain trust to a one-way trust?  And if it is possible are there pros and/or cons to using a one-way trust between the root and the child domains?

Any advice/comments/experience with the above scenario would be greatly appreciated.

Thanks,

J.

Assigning Certificates with autoenrollment to a OU

October 1, 2015, 11:34 am
$
0
0

How do I setup autoenrollment for certificates to an OU. I want to assign certificates if the machine belongs to a OU.  I know how to set this up by security group but how do I do this to a single OU and issue a certificate to any machine in that OU?

the directory service is missing mandatory configuration information and is unable to determine the ownership of floating single-master opertaion role

January 2, 2013, 9:46 pm
$
0
0

we are migrationg Active directory server 2008 R2 to windows server 2012.we have followed migration steps from  linkhttp://www.msserverpro.com/migrating-active-directory-domain-controller-from-windows-server-2008-r2-to-windows-server-2012/ and we have done successfully. But from the step removing old DC we got error message of the directory service is missing mandatory configuration information and is unable to determine the ownership of floating single-master opertaion rolebelow is the screen shot after migration fsmo roles but I can not remove old DC its error message as is shown in below screenshot please help me in this ASAP. AS I stuck during migration in live environment.


Move some users to a new domain

October 1, 2015, 1:17 pm
$
0
0

Hi

I am working for the company where all users are authenticated to one domain lets say companyA.local. Now management will form subsidiary company and they want to create new domain for example companyB.local. Not all users will be moved just about 50 users to start will be members of this new subsidiary and then will have to be moved from companyA.local domain to companyB.local domain. Majority of the users will still remain on companyA.local and companyA.local domain will continue to exist.

I have already created new domain and established two way trust between two domains and all is functional. Now we will have to move as I stated only some users to a new companyB.local domain.

How would you go about that. Would you use Microsoft ADMT tool to move users or some other method. I have never done anything like this. companyB.local is new domain and companyA.local domain will continue to exist and serve about 300 users. Trust established and some test users have been created on a new domain and they can access to old domain.

Dalibor Bosic

Server 2012 R2 password expiry notification not showing, and password GPO being ignored

September 25, 2015, 2:00 am
$
0
0

Hi,

We have a domain running on two 2012 R2 domain controllers. We had a password and account lockout policy set in our default domain policy, which had some basic password settings, and no lockout policy. It also set a password epxiry notification of 7 days.

We wanted to then setup fine grained password policies, for which we were pointed to towards AD Administrative center. We set up two password policies in here, one with basic requirements for the password and account lockout, and another with no password expiry. We set each of these to link to different groups.

This caused us some issues with accounts being lockout far too often, including system accounts, which stopped some services. We decided to remove these two password policies from the administrative center, and go back to using out original settings in the GPO.

Oddly, accounts were still being locked out, even though our default domain policy had no such settings. Also, our expiry notification stopped showing.

The only way I have found so far to fix the account lockout issue, is to go back to the administrative center, and create a policy with the same settings as in the GPO. This unfortunately, has not fixed the expiry notification issue.

Is it possible the previous policies we had have left some remnant which is causing these problems? Can anyone advise what I can check to determine why our GPO was not applying as expected?

Many thanks

Eds

powershell - non-domain admin - grant AD userX permission to modify the membership of AD GroupY

October 1, 2015, 2:28 pm
$
0
0

I am a domain admin. if I run this script, it works fine-- it grants Curtisstest permission to write members on TestGroup.

 "scorch" is not a domain admin, but he has full control of all descendent groups in the OU where TestGroup lives, confirmed by the security settings on Testgroup in the ADUC gui.

 

$groupname = "TestGroup"
$manager = "curtisstest"
$membersPropertyGUID = [guid]"bf9679c0-0de6-11d0-a285-00aa003049e2"

$group = get-adgroup $groupname
$targetgroupacl = get-acl ad:\$group

$managerSID = (get-aduser $manager).sid

$NewRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managerSID,"WriteProperty","Allow",$membersPropertyGUID)
$targetgroupacl.AddAccessRule($NewRule)
Set-acl ad:\$group -aclobject $targetgroupacl

if "scorch" is the owner of Testgroup, when I run the script as "scorch," I get a permission denied error on the set-acl command.

if "scorch" is not the owner of Testgroup, when I run the script as "scorch," I get an error that says "this security ID may not be assigned as the owner of this object" on the set-acl command.

again, "scorch" has full control of TestGroup.
again, the script works if I run it as a domain admin.


WMI Repository Corruption on the machines which have SCCM Client installed

September 29, 2015, 6:39 am
$
0
0

Hello All,

I have random WMI corruption the machines which have SCCM clients installed.I am just using the work around to rebuild the repository but after some days the repository gets corrupted & the same issue occurs.

-Keeping users from logging in (heavily delayed or not at all), spinning at the blue login screen.

-Computer hangs at logoff/shutdown.

-NIC lags on recognizing internet connection at startup.

-Programs running slow and crashing (Includes MS Office and IE).

-Windows crashing and getting black screens.

This is happening on all the most of the clients.

Thanks in advance.

Venky

Search

Group Policy Password policy settings question

October 1, 2015, 1:47 pm
$
0
0

I am tasked with updating my infrastructures GPO's and I came across something I do not get/ understand.

The default domain password policy and the default domain controller policy have different settings for the password policy.

On the password policy the minimum password age is set to 46 while the DC is set to 59.

Is this normal/ a good design?

or

Should I make it universal/ all under one policy?

NTP Server DNS record question

September 25, 2015, 1:47 pm
$
0
0

So I used the link below to setup/ move over my domains NTP server settings, In step for (NTP Server key) we have IP's listed not "peers" in the steps it says the following (below) out of the 4 IP's listed 2 of them do not have DNS records... Do I create a normal Host A record for them? Do I do anything differently?

Peers is a placeholder for  a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append,0x1 to the end of each DNS name.   If you do not append ,0x1 to the end of each DNS name, the changes that you make in step 5 will not take effect.

https://support.microsoft.com/en-us/kb/816042



To be more specific, we have 4 NTP servers listed, we want to get our time sync from left to right but we are only able to get the time sync from the very end of the list

How do I use long path names ("\\?\UNC\...") with Server 2008 roaming profiles?

May 15, 2013, 5:51 am
$
0
0

Hey folks!

I administrate a Windows Server 2008 R2 SP1 Domain with about 40 users onWindows 7 SP1 clients. Because the users often switch between the many PCs, I am using Roaming Profiles which tend to produce errors with different application-specific paths and files inside the users profiles.

As one of many example, our standard mail application Thunderbird produces paths and files according to folders/subfolders and mails in a user's mailbox. Another one is Microsoft Office's Auto Recovery files which reside in a user's profile and can get very long.

These paths and filenames often extend the allowed max. path of about 256 characters, when (on log on or off) the synchronization process between the client and the server takes place, leading to errors in the event log and a notification to the user about the conflict:

"Event ID 1509 - Windows cannot copy file \\server\share\users\user123.v2\AppData\Roaming\looooong to location C:\Users\user123\AppData\Roaming\looooong. DETAIL - The filename or extension is too long."

In the long run this leads to different file versions on different clients which - in the case of Thunderbird - leads to missing mails.

After extensive searches and lectures of forums - including this - I haven't found a solution for this problem.

So my question is if there's a way to use the extended max path with roaming profiles and if so how do I get it to work?

I tried changing the profile path of a test user in the Active Directory user preferences from "\\server\share\profiles\test_user" to something like "\\?\UNC\server\share\profiles\test_user" without any changes in the system's behavior. Also I think that because this is such a fundamental problem somebody must have come up with a solution for it...

Thanks in advance,

Nico


Restore-DfsrPreservedFiles "Path Too Long" Error

April 28, 2015, 10:43 am
$
0
0

I'm attempting to run this on a file server where all replicated folders live in the D:\data drive. I am not sure why I would get a "Path Too Long" error and the exception does not provide any clues as to what it doesn't like -- or if it does, I am reading it wrong. Ideas anyone? 

-------------------------------------

PS C:\Users\Administrator> Restore-DFSRPreservedFiles -Path "D:\data\DfsrPrivate\ConflictandDeletedManifest.xml" -Restor
eToPath "D:\backup\recovery\dfsrrecovery" -RestoreAlLVersions -CopyFiles -Force -verbose
VERBOSE: Loading preserved file manifest: "D:\data\DfsrPrivate\ConflictandDeletedManifest.xml"
VERBOSE: Restoring preserved files from manifest: "D:\data\DfsrPrivate\ConflictandDeletedManifest.xml"
Restore-DFSRPreservedFiles : The specified path, file name, or both are too long. The fully qualified file name must
be less than 260 characters, and the directory name must be less than 248 characters.
At line:1 char:1
+ Restore-DFSRPreservedFiles -Path "D:\data\DfsrPrivate\ConflictandDeletedManifest ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Restore-DfsrPreservedFiles], PathTooLongException
    + FullyQualifiedErrorId : System.IO.PathTooLongException,Microsoft.DistributedFileSystemReplication.Commands.Resto
   reDfsrPreservedFilesCommand

Web enrollment not working on PKI server

October 2, 2015, 12:24 am
$
0
0

Hi All,

I have migrated PKI windows server 2008 R2 to WIndows server 2012 R2. Post migration, everything working fine except one thing, web enrollment on PKI server. From any other client machine, web enrollment is working perfect. But from ADCS server,it is giving error like "No Certificate template available Etc.."

Can some one help us please.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>