Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain Controller computer objects, adminCount and AdminSDHolder

September 29, 2015, 1:03 am
$
0
0

According to every article I've read, the "Domain Controllers" group is protected by AD. The group does in fact have adminCount set to 1. The same applies to the "Read-only Domain Controllers" group. 

However the members are of course domain controllers, none of which have adminCount set and the ACL does not match AdminSDHolder. (I know that if the ACLs already match, adminCount is not necessarily set to 1 when the check runs)

I see other computer objects (with adminCount=1) that are being protected, so it's not that computer objects are excluded. It just does not seem to apply to any domain controllers, even though the groups they're in are protected. 

What am I missing here? 

Andreas

Search

DCPROMO fails because of FSMO roles...normal solutions not working

October 27, 2009, 6:20 am
$
0
0

I am trying to remove a 2008 R2 DC from our domain but receive this error:
"Directory Service is missing mandatory configuration information...unable to determine ownership of floating single-master operation roles"
In the even log we have this additional error:
Error:
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=lvcinc,DC=local
FSMO Server DN: CN=NTDS Settings\0ADEL:464a6261-2c82-4ac1-b2b2-144d2e5e1b74,CN=SDOCS1\0ADEL:27fa192a-1f79-4a62-9557-d14ce99406d9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lvcinc,DC=local
User Action:
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.

Steps to try resolving:
Investigating the above error - it is referencing a Very old DC from a few years ago "SDOCS1". See bold type above.

1.  Ran DCDiag /v /q on all servers and the only errors we receive are the ones that are manifested due to NOT having run the RODC switch with ADPREP
(Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
   Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=lvcinc,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
   Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=lvcinc,DC=local
......................... SVHOST2 failed test NCSecDesc

2.  Checked the location of the FSMO roles and they are all located on our SDC1 server.  I even transferred the Infrastructure FSMO role to a different server and the DCPROMO to remove the server still failed with the same above error.

3.  Ran through the "Seizing" of the roles specified by this KB:  http://support.microsoft.com/kb/255504.  The server mentioned in the error (SDOCS1) doesn't hold any of the roles and isn't listed in the list of servers

3.  Went through this KB about removing the metadata of the defunct server:  http://support.microsoft.com/kb/216498.  The server mentioned doesn't exist in any of the locations.

I'm at a loss as to how to resolve this.  Somewhere the AD Database has a reference to that old server (SDOCS1).  I have looked in all the obvious places in ADSIEDIT and DNS and have found no reference to it.

I know I can do a force removal of this server (SVHOST2) - but it seems that I need to fix the greater problem of removing the referencen to SDOCS1.

Thanks for any help for this perplexing issue!

-David Miller

Domain Controller Event IDs to the Collector Server

October 29, 2015, 12:32 pm
$
0
0

Hi all,  I am working with the following link: 

http://blogs.technet.com/b/mspfe/archive/2011/11/22/setting_2d00_up_2d00_security_2d00_event_2d00_log_2d00_subscriptions_2d00_with_2d00_windows_2d00_server_2d00_20032008.aspx

I want to be able to send Event log data from my DCs to the collector server.  I spun up 2 VM DCs and a Collector VM server in a test domain. All are running server 2008r2.  I configured both DCs to send their Events to the Collector and created a GPO.  What I am noticing is that no events are being forwarded to the Collector and the subscription Status is showing Inactive.  

Francisco Mercado Jr.


Lync/Skype 2016 GPO to disable chat logging

October 29, 2015, 10:00 am
$
0
0

Support,<o:p></o:p>

We
are deploying Office 2016 to our end users and would like to make sure that
conversation/chat logging is disabled through Lync/Skype. We have already
installed the Administrative Templates for 2016 on our Domain Controller. Is
there a policy we can create through AD that will disable that feature?<o:p></o:p>

Thanks.<o:p></o:p>


Join Computer to Domain (VPN) No Domain Found

October 29, 2015, 12:23 pm
$
0
0

Working an issue with joining a client (2008 R2) to our domain.  The site is connected via VPN.  The main issue seems to be cannot find the domain name.

The VPN is open with all ports to one specific domain controller.

I can resolve the domain name via DNS and also get a return of the SRV records.

From the client I can authenticate to the domain controller via ADSIEdit, mapping a drive.

Running nltest /dsgetdc:company.com errors to:  'Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN'

I did an Offline djoin, but when trying to logon I get 'there are no logon servers....'

Debug in the netlogon file shows a return of the IP's of the DC's from the service records but does not find domain name.

Any direction you all may send me in would be greatly appreciated.

DCDIAG errors -failing advertising and more tests - appear to be due to flatname issues

October 12, 2015, 7:27 pm
$
0
0

I'm running "DCDIAG /Q /E " between my two domain controllers, and one of them is getting errors.  I'm running as admin of course!

The first DC is sitting on subnet1, and is called ACMEDC1.

The second DC is sitting on subnet2, and is called ACMEDC2.

When I run on ACMEDC2, there are no errors.

When I run on ACMEDC1, there are some errors:

         Fatal Error:DsGetDcName (ACMEDC2) call failed, error 1722

         The Locator could not find the server.

         ......................... ACMEDC2 failed test Advertising

         [ACMEDC2] An net use or LsaPolicy operation failed with error 64,

         The specified network name is no longer available..

         ......................... ACMEDC2 failed test SysVolCheck

         Could not open pipe with [ACMEDC2]:failed with 64:

         The specified network name is no longer available.

         Could not get NetBIOSDomainName

         Failed can not test for HOST SPN

         Failed can not test for HOST SPN

         [ACMEDC2] An net use or LsaPolicy operation failed with error 64,

         The specified network name is no longer available..

         ......................... ACMEDC2 failed test NetLogons

I can do a lookup of ACMEDC2 with nbtstat - it will resolve to an IP address and then it appears in the cache (so "nbtstat -a ACMEDC2" and "nbtstat -c" work.

However, from ACMEDC1, I have also noticed that I cannot connect to any SMB shares on SOME servers when using the netbios name.  There doesn't seem to be any rhyme or reason - server version, subnet.

For example, from ACMEDC1:

I can connect to \\ACMESRV1\fileshare 

(or any share)

If I try to connect to ACMEDC2:


\\ACMEDC2.ACME.LOCAL\FILESHARE

works

\\(IP ADDRESS)\FILESHARE

works

But:

\\ACMEDC2\FILESHARE

fails with the error "Windows can't find '\\ACMEDC2\FILESHARE'.  Check the spelling and try again."

I can connect to SMB successfully with PowerShell too.  nbtstat -RR (or -R) do not resolve the issue either.

So I think that whatever is causing the issue with the SMB connection to the flatname is causing the same issues in DCDIAG.  I am not seeing any problems with any other AD services - replication works perfectly, and ACMEDC2 is having no such issues in SMB or DCDIAG.

Trust between NT4 and 2003 domain not working properly

October 26, 2015, 3:31 pm
$
0
0

I have a problem with a customer who still has an NT4 domain!! Well they decided to migrate to a new domain and created a windows 2003 domain as a new forest. User migration was done but not computer migration. This was done by the customer himself.

The new Win2003 AD domain has some servers in it but most of the PC's are still in the NT4 domain & most of these PC's are windows XP.  A two-way external trust has already been created between the NT4 domain and the 2003 domain.

Since the client PC's are in NT4 domain and need to access shared folders from the servers in windows 2003 domain the trust relationship is critical. Unfortunately, this is where the problem lies. The trust although seems to be working is behaving strangely. It works on some PC's and not on others.

The PC's where it doesn't work , we get the error "trust relationship between the primary domain and the trusted domain failed", when they try to access resources from 2003 domain. However from the same PC, the user can logon to the 2003 domain!!

What is going on with this trust? and what can be done to fix the issue?



Error Promoting server as Additional Domain Controller

October 29, 2015, 1:47 am
$
0
0

Hi,

I am getting error While promoting sever as additional Domain Controller. This is a test environment where I have one Domain and 1 DC too. I was trying to add additional DC in this test domain. I have gave primary DC's IP as Preferd DNS server in additional DC server. But I am getting below error.I am able to ping both servers vice versa. 

Can anyone help me to fix this issue ?

Search

Two Separate Domains and IP Addresses on one physical network

October 29, 2015, 12:03 pm
$
0
0

I think this question has been asked with different variables, but in my specific situation we want to host two independent companies on the same physical network without any interconnection. A.com would be the main host and AD of the existing company. We want to split off a new company called B.com. A.com would have IP addresses of 172.16.xxx.xxx and B.com would have IP addresses of 192.1.xxx.xxx and the two domains would not see or communicate with each other. The 172.16.xxx.xxx has the default gateway and is DHCP. Would it be possible to have B.com on IP address 192.1.xxx.xxx also use DHCP and would it need to use the default gateway IP address on the other subnet or would it have its own?

I want to make this as painless for myself as possible. VLANs are the last route I would like to explore.

AD Healthcheck Tools

January 29, 2013, 4:35 am
$
0
0

Are there any free tools youd run yourselves to identify risks or misconfigurations in your AD - above and beyond AD best practices analyzer. Can you list what it is and what it does?

Also if you were to tender and go out to the market for for an AD healthcheck, what high areas would you ask them to cover? i.e. a top 5 issues for them to look at?

AD Integrated DNS Question

October 29, 2015, 2:25 pm
$
0
0

I'm cleaning up my DNS Zones.

I'm noticing old entries in the Name Servers tab. I'm going to clean those out via powershell.

My question is. Do I need to actually populate the Name Servers tab if they are AD integrated?

Since I'm removing the old ones I was going to add\update new ones.  Being AD integrated I'd assume that all DC's that are getting a copy would be authoritative.  So why would I need to populate this tab?

I also notice the * next to some of the entries.  This makes me think they are auto-added.  So if they are, what 'adds' them exactly?  Since each DC would contain a copy I'd think it wouldn't need to go to any other DC\DNS server in the forest.

Thanks in advance.

David Jenkins

ADFS backup policy

October 28, 2015, 10:21 pm
$
0
0

Dear all,

We are using Office 365 with DirSync and Active DIrectory Federation Services and we have a a daily backup of ADFS servers. We use ADFS 2.0 in Windows Server 2008 R2 and I was wondering if it's really necessary to backup server each day ?


If I am right, there is no "moving data" on server except :

- configuration when we change a setting (add a federation by example)

- certificates when we change it

What are the best practices concerning backup of ADFS ? I have read a lot on how to backup it but not on when to backup it...

Thanks a lot

Ludovic

Windows 2012 R2 Active Directory server malfunction suddenly

October 29, 2015, 8:58 pm
$
0
0

I've a virtual guest of Windows 2012 R2 Active Directory server (with 2GB memory assigned) running in ESXi 5.5 (with update 2). In one night, it did not working properly suddenly. Checked that before the problem happened:

1. the server's memory usage is 100%, but the server resources utilization is low (<50%).

2. in the event log, the 1st error shows the following:

svchost (2176) An attempt to write to the file "C:\Windows\system32\LogFiles\Sum\Current.mdb" at offset 315392 (0x000000000004d000) for 4096 (0x00001000) bytes failed after 0.000 seconds with system error 1453 (0x000005ad): "Insufficient quota to complete the requested service. ".  The write operation will fail with error -1011 (0xfffffc0d).  If this error persists then the file may be damaged and may need to be restored from a previous backup.

After the problem happened, the server was still online and remote access by RDP. However, both local login and login by using RDP were failed. It showed "invalid username or password".

Finally, I had to reboot the server and then the domain services resumed normal. So far, it happened once.

Please help.

instal new forest by windows server 2012 r2

October 29, 2015, 9:56 am
$
0
0
Greetings
I want an answer file for Forest I install on windows server 2012 r2, how can this be done in PowerShell
With special thanks

Domain Controller Patching

October 29, 2015, 1:24 am
$
0
0

Hi, 

When I patch domain controller with below patches, DC get hungs at Applying Computer Settings.

Does anyone know which is the problematic patch from below which need to be removed from installing in domain Controller.

Search

Getting Error while Exporting Data from AD

October 30, 2015, 12:38 am
$
0
0

I am getting while exporting AD Users or Computers information from AD below is the script and error message. Can anyone help me on this. I have user count near about 15000.

Get-ADUser -Filter * -Properties * | Select-Object -Property Name,SamAccountName,Description,EmailAddress,LastLogonDate,Manager,Title,Department,whenCreated,Enabled,Company | Sort-Object -Property Name | Export-Csv -path D:\AlluserfromAD30102015.csv

Get-ADUser : The server has returned the following error: invalid enumeration context.
At line:1 char:11
+ Get-ADUser <<<<  -Filter * -Properties * | Select-Object -Property Name,SamAccountName,Description,EmailAddress,LastLogonDate,Manager,Title,Department,whenCreated,Enabled,Company | S
ort-Object -Property Name | Export-Csv -path D:\AlluserfromAD30102015.csv
    + CategoryInfo          : NotSpecified: (:) [Get-ADUser], ADException
    + FullyQualifiedErrorId : The server has returned the following error: invalid enumeration context.,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Group Policy Management Console problem

October 30, 2015, 2:17 am
$
0
0

Hi, I found out that a problem when I open gpmc in my server (Windows Server 2008 SP2)(Domain Controller). I got an error message saying 

The specified domain controller could not be contacted. This affects the following domain in the console.

Domain: <FQDN>

The RPC server is unavailable. 

I tried to perform in command prompt a dcdiag command and I got this messages.

Warning: <servername> has not finished promoting to be a GC. Check the event log for domains that cannot be replicated.

Warning: <servername> is not advertising as a global catalog.

Im not sure what's causing this but this is just a newly setup DC, no errors so far with its event viewer.

Thanks

Jeff

Active Directory health profiler

October 30, 2015, 12:06 am
$
0
0

Guys,

Did anyone use Active Directory health profiler? 

I am planning to buy a copy, but can't find too many references over the Internet.

Did anyone try it before?

Thanks for your inputs!

Nick

NTDS Internal Processing error

October 20, 2015, 9:01 am
$
0
0

Question: How do you go about tracking down the source of an error like this:

Event Type: Error
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1481
User:  NT AUTHORITY\ANONYMOUS LOGON
Description:
Internal error: The operation on the object failed.

Additional Data
Error value:
2 000020EF: NameErr: DSID-032500F4, problem 2001 (NO_OBJECT), data -1603, best match of:
 ''

Additionally:

Event Type: Information
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 2041
User:  N/A
Description:
Duplicate event log entries were suppressed.
 
See the previous event log entry for details. An entry is considered a duplicate if the event code and all of its insertion parameters are identical. The time period for this run of duplicates is from the time of the previous event to the time of this event.
 
Event Code:
c00005c9
Number of duplicate entries:
1

Esentutil & ntdsutil both show no issues when booted to DS restore mode while dcdiag, replmon, nor repadmin show any errors.

OS: Windows 2003 R2 (both 64- and 32-bit) as up to date as possible. Note: ALL DCs report this error with NTDS logging at 5--but no other errors.

This issue is preventing the promotion of both 2008 and 2012 servers to DCs.

All NTDS logging is up at 5 in hopes of finding other messages, to no avail.

No other errors are logged, just this one blank item.

how to remove a client from a deleted domain - 2012 server essential

October 30, 2015, 10:00 am
$
0
0

Anybody can help.

we installed 2012 server essential on a Dell server, join a client/laptop to that domain.  abc.local.

then we delete that on server and reinstall again with a new domain. 

on client/laptop we use windows server essentials connector, find that NEW server, then cannot connect client to the network

" this computer is already a member of another Windows domain abc.local. before connecting this computer to the server, you must first remove this computer from the current Windows domain."

On server, this domain already deleted. how to remove from client/laptop. 

thanks



Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>