Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Event ID 1224 ActiveDirectory DomainServices

September 30, 2015, 7:06 am
$
0
0

Hi guys,

I have this event in the logs which is really often repeating.

An attempt by the local domain controller to automatically update information on one or more of the Computer object, the Settings object, or the Server object failed.
 
This operation will be tried again at the following interval.
 
Interval (minutes):
5
 
Additional Data
Error value:
13 Constraint Violation
0000200B: AtrErr: DSID-033E0FBC, #1:
 0: 0000200B: DSID-033E0FBC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
 
Internal ID:
32b0994

I've checked dcdiag and there were no errors shown and this is a RODC. Does someone could help? Thanks in advance

Search

Using ADSI Edit to manage Exchange

October 1, 2015, 4:38 am
$
0
0

Not really sure if this post should go here or in the Exchange forum - I will try here first..

We are looking at moving our in house, non-Exchange mail implementation to Office 365.  In doing so we would look to utilize ADFS to give us greater control over location based access restrictions, a business requirement.

Given this, in reading about solving this issue I am finding that if I use ADFS, which requires DirSync - the 'copy' of my AD in Office365 is read only - all changes must be made in the on-prem AD.  This makes sense.

I am finding that the only *supported* way to manage Exchange in this scenario is to use ADSI Edit / Powershell to manage the individual Exchange attributes within Active Directory.

I think I've got 2 questions as of now - 

1.  I haven't been able to find any documentation on this.  Coming from a non-Exchange background, having to manage these by individual attributes, I am looking for some sort of information about what the attributes are (other than ms-Exch*), what they mean, and what the possible values are for these attributes.

2.  Are there any tools or products out there that can simplify this?

Thanks, 

sb

 

Administrator acccount and domain admin account

October 2, 2015, 12:02 am
$
0
0

Hello,

I have a query about Administrator and domain admin account , 

1)Do administrator account have full access to all the domain controllers in that domain , also what level of access he have on another machines in the domain????

2)Domain admins have full control over all DC's, workstations all the machine , correct me if i am wrong.

Also , let me know if domain administrator group and administrator group are same ,once machine is added to domain.

Paramesh KA

How to secure Hosting Active Directory

September 21, 2015, 6:29 am
$
0
0

Hello,

We are planing to have hosting and there will we host active drectory. We are going to have 10 clients. I hope that someone can help us with tips how to secure info so that customers can't see each other and that they can't find info from another domain.

AD Migration & Syncronization

September 3, 2015, 12:52 am
$
0
0

Hi,

I have to syncronize the data between the Business Units of my Company with the central Platform.

At that moment I have a domain at my Business unit and another Domain at the platform.

I have to migrate all the users and computers from the BU to the platform and then install an RODC at the business unit which will have the data of the platform(read only). The only problem is that the users of the business unit are present in the AD local but also on the AD of the platform. In the AD local I have the users and computers but on the AD of the platform I have only the users, that were created because some applications needed this.

My question is: how can I do the migration so that I won't have two times the users. Can I migrate the computers and assign them the users that are already on the AD of the platform? Is there any other solution for this type of migration?

I thought to migrate the domain of the business unit to be in the same domain as the platforms (uninstalling the AD of the BU and then nmigrate it as a member server for the platform and then reinstall the AD. The only problem is the users which are already on the platform.

Any help would be apreciated!

Applications can't bind to AD LDS

October 2, 2015, 4:49 am
$
0
0

I have successfully setup AD LDS to extensively extend the schema to add numerous new attributes for several applications. I have also setup SSL and have been successful in doing all the Bind scenarios via ADSIedit and Ldp. I also can Bind and pull back any information I wish via PowerShell.  Everything appears to be working correctly.

Now when I had customers attempt to point to AD LDS with their apps, they can't Bind. For example, GADS (Google Apps Directory Sync) is one of them. We would like to point to AD LDS to pull several attributes. I can't get GADS to connect to AD LDS. If I point to an AD DS (Domain Controller) it connects great, but not if I point to AD LDS. I can use ADSIedit on the server that GADS would be running on and with that tool, I am successfully connecting, just not through the GADS connection. The same hold true for other applications (JAMF is another example).

I can't believe that AD LDS would be deployed if it only works with some things and not others. I have spent a lot of time searching the web and trying many different suggestions. Nothing seems to be working. 

Has anyone had issues using non-Windows applications authenticating users through AD LDS (userProxyFull)? If yes, what should I try? 

I had my customer call support on four different apps and they all state that they don't support AD LDS. I don't know if they really don't or just don't understand what AD LDS is supposed to be. In reading over all the Microsoft info on AD LDS, it appears to be exactly what I want, but if it doesn't work (or I just can't make it work) then I will have to pursue other solutions.

Thanks in advance 

Unknown User Reference on Folder Security

December 9, 2011, 12:29 pm
$
0
0

I have found 6 unknown users on one of my folder. The Icon is a question mark (?) and face profile. The names are all like this:

S-1-5-21-343818398-1390067357-839522115-500

S-1-5-21-343818398-1390067357-839522115-512

S-1-5-21-343818398-1390067357-839522115-513

S-1-5-21-343818398-1390067357-839522115-515

 

All the same except the last 3 digits. Anyone know why they are there and is it safe to assume removing them will not harm anything?

 

 

Thanks

Grajek

Demote offline Windows 2003 domain controller

September 25, 2015, 2:34 pm
$
0
0

We have mixed Windows 2003 an 2008 domain controllers. One of 2003 domain controllers has been offline for almost a year due to some network connectivity issue. Now I can bring it back to the network but my concern is that it may have exceeded tombstone period, and could cause problems in AD.

Now I like to remove this offline DC from the AD. My plan is to not to bother bring it online and go ahead with the manual removal procedure. Is it the best way at this point? If I run the metadata clean up, does it matter if I do this from 03 DC or 08 DC?

Thanks for any advice.

Calvin

Search

System.DirectoryServices.Protocols, replace of boolean attribute (non-ad) not working

October 2, 2015, 8:03 am
$
0
0

   

hello there,

i am writing powershell functions to read and modfiy NetIQ eDirectory
scriptwise using System.DirectoryServices.Protocols. i am stuck with trying to do a replace or add of single-valued attributes with boolean syntax. deletes work.

tested all different kinds of things (eg. [Byte[]] in DirectoryAttributes, 0/1, putting it in double-quotes and whatnot ...). i think it should accept [String[]] $val = 'TRUE' or [String] $val = 'TRUE', but the server just returns an error ...

>>Error is: Syntax invalid (from protocols) and 'NDS error: no additional
information available (-306)] trying to modify cn=xxx,ou=xxx,o=xxx'

i'd be glad to get helpful advice, florian

NTFRS topology replication issues in 2008 R2 domain

September 21, 2015, 2:34 pm
$
0
0

Dear all experts,

I have an ongoing issue that has been plaguing me for a long time.  Basically my FRS is partially broken and I'm not 100% sure it's because of incorrect connection topology configuration or something else. 

My network and infrastructure is setup as follows;

2 x Windows Server 2008 R2 STD Domain Controllers at Head Office (HO) - One contains FSMO, other is just a GC and our secondary/backup DC.  Let's call them HODC1 and HODC2

16 x Windows Server 2008 R2 Domain Controllers (all 18 DCs are located at 18 remote retail stores).  All are configured for AD, DNS, Global Catalog. 

2 x Windows Server 2012 R2 Domain Controllers (individual store DCs).

In regards to my network and for security reasons, my company has opted to configure networking and routes in such a way toNOT ALLOW remote locations to see/talk to eachother across the network.  In other words, none of my remote domain controllers can talk to eachother except the two at HO.  The HO DCs can talk to all store DCs without issue.

My question is: How do I configure NTFRS on HODC1/HODC2 to push updates down to the other 18 DCs when AD changes are made but still be able to make changes between themselves (ie: one-way replication)?  Do I have to disable Inter/Intra-Site connections on all 18 remote locations and only enable it on HODC1 and HODC2?

I'm seeing a lot of 13508 errors on several DCs including HODC1.  Just want to fix NTFRS once and for all before I attempt to migrate from FRS to DFS since FRS is a legacy technology and my forest level is currently 2008 R2.  Apparently DFS is a far better solution.  

Any and all help/advise is appreciated.

If you require any test results to be run, please feel free to ask because I didn't want to bloat this post with a bunch of unneeded results.

Thanks in advance,

SaGe69


Active directory 2008 -Event log 2029-This server is the owner of the following FSMO role, but does not consider it valid.

October 1, 2015, 5:52 am
$
0
0

Dear All, I am having an active directory problem FSMO role seems not to be valid even thought is in the Primary server

Any help will e waluable

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=xx-KO,DC=xx,DC=ORG

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.

2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.

3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:

Schema: You will no longer be able to modify the schema for this forest.

Domain Naming: You will no longer be able to add or remove domains from this forest.

PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.

RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.

Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

How to Join Computer to a Domain (When DNS name does not exist) Comments (101) | Share When you are going to join any computer from domain controller the following error will be appeared on your computer screen. Full Error Message

October 2, 2015, 9:52 am
$
0
0

Note: This information is intended for a network administrator.  If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain saqibullah.com:

The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.saqibullah.com Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following 
IP addresses:

192.168.109.143

- One or more of the following zones do not include delegation to its child zone: Saqibullah .com . (the root zone) For information about correcting this problem, click Help.

RPC Error 1753 There are no more endpoints available from the endpoint mapper

September 23, 2015, 10:48 am
$
0
0

Hello Everyone,

I am having an issue with my primary domain controller. The issue i am having is that the secondary domain controller is not replicating to the primary domain controller. There is an error when forcing replication that the server displays stating that there are no more endpoints available from the endpoint mapper. My primary domain controller is also my federation server that syncs with Azure for directory sync with office 365. I have run through all troubleshooting steps listed on every site i can find with RPC 1753 errors. And all i can find is a way to verify that i am having the error which i am most certainly having. But nowhere has an answer as to how to fix the issue with the endpoint mapper. I cant seem to find a solution as to how to fix the RPC error. I have verified that the RPC service is running and set to automatic and the the endpoint mapper is also working correctly running and automatic. All the changes have been made to the secondary server and are not appearing on the primary server. Both of them are GC's so I am not having any issue with logging in or connecting to the servers. But any time a change is made to an account or computer is added to the domain. It only shows up on the secondary domain controller. DNS is working correctly and the port 135 is listening on the problem server so it does not appear to be a firewall issue as the firewalls are turned of on the servers while i am troubleshooting this. So it is not a firewall error or port error. Both services are running so it is not a stopped service. I can not change any of the options for the rpc services though which i don't know if that is correct or not. I am really looking for a solution and not another way to figure out if i am having the problem because as you can see I am having the problem but have no solution. Please let me know what logs i can send or info i can supply to help resolve this issue. I could of course erase everything and start over from scratch but i really really don't want to do that because of all the specific installations and files i have on the server along with accounts and password of my company. If that is the only solution then so be it but i want to try everything possible before reimaging. Please let me know what further information you may need or anything i can try to correct this error. Thank you very much in advanced for all your help!

Not able to use Static RPC Port number 49152 and 49154 on Domain Controllers

October 2, 2015, 4:00 am
$
0
0

Hi

I just want to confirm that on Windows Server 2008 R2 (or later) Domain Controllers, whether we can use Port Number 49152 and 49154 as Static ports for NTDS and Netlogon or not ?

We have set these Ports for NTDS and Netlogon (KB224196) but they won't be used. Seems like these Port numbers have been hard coded for other Services - WinInit.exe is using 49152 and Multiple Services for49154, as depicted below.

Services associated registrations/entries in EPMAP on 2008 R2 Domain Controller looks like:

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:127.0.0.1[49152]



UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_ip_tcp:127.0.0.1[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_ip_tcp:127.0.0.1[49154]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 8c7daf44-b6dc-11d1-9a4c-0020af6e7c57
ncacn_ip_tcp:127.0.0.1[49154]

So if we really do have some these Services hard coded to use 49152 and 49154, please provide  me some URL stating so.

In Windows Server 2003, we didn't have any issues using these Static Ports on Domain Controllers but not anymore.

Please assist

OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best



4625 & 4776 Errors on DC

October 2, 2015, 9:05 am
$
0
0

I am seeing Event ID errors 4625 & 4776 in the security logs on the Domain Controllers. Our Intranet DC have a one way trust with our DMZ DCs (DMZ trusts Intranet). On the Intranet DCs the errors show failed login due to "Unknown user name or bad password" for the machine account. The DMZ DC is failing login on the Intranet DC.



Log Name:     Security
Source:       Microsoft-Windows-Security-Auditing
Date:         10/2/2015 11:15:52 AM
Event ID:      4625
Task Category: Logon
Level:        Information
Keywords:     Audit Failure
User:         N/A
Computer:     Intranet_DC
Description:
An account failed to log on.

Subject:
                Security ID:                             NULL SID
                Account Name:                      -
                Account Domain:                   -
                Logon ID:                               0x0

Logon Type:                                          3

Account For Which Logon Failed:
                Security ID:                             NULL SID
                Account Name:                      DMZ_DC$
                Account Domain:                   DMZ

Failure Information:
                Failure Reason:                     Unknown user name or bad password.
                Status:                                     0xc000006d
                Sub Status:                             0xc000006a

Process Information:
                Caller Process ID: 0x0
                Caller Process Name:           -

Network Information:
                Workstation Name:               DMZ_DC
                Source Network Address:     XXX.XXX.XXX.XXX
                Source Port:                           60261

Detailed Authentication Information:
                Logon Process:                     NtLmSsp
                Authentication Package:       NTLM
                Transited Services:               -
                Package Name (NTLM only):               -
                Key Length:                            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event:
Log Name: Security
Source: Microsoft Windows security
Event ID: 4625
Level: Information
User: N/A
OpCode: Info
Task Category: Logon
Keywords: Audit Failure
Computer: Intranet_DC

------------------------------------------------------------------------------------

The computer attempted to validate the credentials for an account.

Authentication Package:       MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:     DMZ_DC$
Source Workstation:             DMZ_DC
Error Code:            0xc000006a

Event:
Log Name: Security
Source: Microsoft Windows security
Event ID: 4776
Level: Information
User: N/A
OpCode: Info
Task Category: Credential Validation
Keywords: Audit Failure
Computer: Intranet_DC
Search

PDC and Passwords in Active Directory with ADFS

October 2, 2015, 11:59 am
$
0
0

Hi All,

I have a theoretical question:

As I know PDC is involved into the user/password "validation" during the logon. So ADFS services will also contact PDC during the user login session.

What will happened if ADFS is deployed in the separate site with 2 DC's, but PDC is running in another site and the connection is down?

Thanks! 

event viewer event id 1000 source application error

October 3, 2015, 4:19 am
$
0
0

dears,

I'm running windows server 2008 r2 in my company and recently active directory started to freezed from time to time, and im not able to use it, below is the event logged in the event viewer:

can you please help as im not able to use AD anymore...

Log Name: Application

Source:     Application Error

Event ID : 1000

Level:       Error

User:        N/A

Task Category : 100

Keyword: Classic

Faulting application Path: mmc.exe

New AD site subnet

October 3, 2015, 7:46 am
$
0
0

we have two site and subnet is: 

10.1.0.0/16 Site A

10.2.0.0/16 Site B

I'm on 10.2.1.100 client , nltest query

nltest /dsgetdc:hongkong.local

sometime return show correct Site B name , sometime return show Site A name.

Very confuse , does I split the site success?

Thanks.

Active Directory

June 22, 2010, 9:53 pm
$
0
0

Hi,

My company is using windows server 2008 R2. We are in a process of Active Directory implementation. I got a major problem when adding pc's to the AD. I'm the one who adding PC's to the AD. When our help desk team wrongly enter a computer name for a particular PC and join to the AD it listed under Computers OU. I want to make sure nobody in help desk add PC's which doesn't exist in the AD. So solution for this do i need to modify the ACL of the COMPUTER OU (Default OU comes under domain ).

repadmin not reflecting BASL having been disabled

October 3, 2015, 2:37 pm
$
0
0

Hello, 

I have a multi site AD. Site A, Site B, and Site C. The site deployment is hub and spoke and the networks arenot fully routed. Site A is the hub and Sites B and C are the spokes. Since the networks between the sites, specifically B and C, are not fully routed I have disabled Bridge All Site Links (BASL). When I do a repadmin /replsum on the single DC in Site C I get the following error.

With BASL disabled, I don't expect this error. Why is my single DC in Site C trying to communicate with the two DCs in Site B? I see a similar error for the single DC in Site C when I run repdmin on either of the two DCs in Site B. 

Thanks for the help! 




Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>