Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Tracking down where/how a certificate is being deployed to all domain computers

$
0
0

Hi,

As part of my AD 2003 to 2008R2 upgrade, I am poking about in the domain to see if there are any certificate authorities configured, etc.

I have found that there appears to have been a windows 2000 domain controller in the 2002-2005 timeframe that was configured as an enterprise root certificate authority. As far as I can tell, there are no applications or services that depend on that (the DC in question was removed around 2005, many years before my time at this employer!), subsequently several 2003 DCs were created.

I have, however, discovered that each and every domain joined computer seems to have a certificate listed under intermediate certification authorities (valid 10/29/2003 to 10/29/2005) that lists the DNS domain name in the issued to and issued by fields. The CRL distribution point lists the old domain controller name. I am trying to find out WHERE this certificate is coming from and not having much success so far. The last computer added to the domain (a new 2008R2 domain controller) also gets this certicate added under Intemediate Certification Authorities, so whatever mechanism used to deploy this certificate throughout the domain still is active.

My best guess was maybe a manual deployment via a GPO, and the default domain policy would make most sense, but I have checked there under Computer Configuration | Policies | Security Settings | Public Key Policies | (checked all nodes here, but especially Intermediate Certification Authorities node).

I will manually look through each policy I guess (there are several dozen), but does anyone have any insight? Maybe I am approaching this wrongly?

I tried to model GP Modeling for a particular server object, only a couple of policies are applied as far as I can tell, but I haven't found any certs being deployed by those policies. Is it possible this is a User Configuration Policy somewhere I wonder? I thought you couldn't deploy to Intermediate Cert Authorities node with a user policy?


Child Domain vs Trust Relationship

$
0
0
So here is the scenario-

We are in the process of centralizing IT to a data center in a single location.  I currently have 12 different operating companies that need a shared security and exchange functionality.  As it stands they are all separate individual domains of varying levels.  There is a company wide accounting system that needs to be integrated with AD currently running in a completely separate domain as well that I would like to see people using their own AD log on info to use.

Here is my question-

Knowing that all the Active directory domains need to be touched regardless to get them all up to a uniform functional level and that there is significant work to be done no matter what, which configuration would be best?  I know there are several points to each one, but I want to make sure I am covering my bases now before choosing a path.  Do I go for a single forest\parent domain?  Or separate domains using trusts between the corporate domain and the operating companies like a spoke and hub config? What are the pros and cons of each?

Thanks-

DCDIAG reports problem but not sure what to do about it...

$
0
0

Hello

I am about to migrate an installation from W2k3 (SP2) to 2008. My first step was to run a DCDIAG /V and low and behold I actually see some errors whihc I guess I should correct before going further...

Performing initial setup:
   * Verifying that the local machine MY-PDC, is a DC.
   * Connecting to directory service on server MY-PDC.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.
Doing initial required tests
   Testing server: Premier-Site-par-defaut\MY-PDC
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... MY-PDC passed test Connectivity
Doing primary tests
   Testing server: Premier-Site-par-defaut\MY-PDC
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=mydom,DC=ch
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=mydom,DC=ch
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=mydom,DC=ch
               Latency information for 6 entries in the vector were ignored.
                 6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=mydom,DC=ch
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=mydom,DC=ch
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
         * Replication Site Latency Check
         ......................... MY-PDC passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC MY-PDC.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=mydom,DC=ch
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=mydom,DC=ch
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=mydom,DC=ch
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=mydom,DC=ch
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=mydom,DC=ch
            (Domain,Version 2)
         ......................... MY-PDC passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\MY-PDC\netlogon
         Verified share \\MY-PDC\sysvol
         ......................... MY-PDC passed test NetLogons
      Starting test: Advertising
         The DC MY-PDC is advertising itself as a DC and having a DS.
         The DC MY-PDC is advertising as an LDAP server
         The DC MY-PDC is advertising as having a writeable directory
         The DC MY-PDC is advertising as a Key Distribution Center
         The DC MY-PDC is advertising as a time server
         The DS MY-PDC is advertising as a GC.
         ......................... MY-PDC passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role Domain Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role PDC Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role Rid Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         ......................... MY-PDC passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 5105 to 1073741823
         * MY-PDC.mydom.ch is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3605 to 4104
         * rIDPreviousAllocationPool is 3605 to 4104
         * rIDNextRID: 3622
         ......................... MY-PDC passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC MY-PDC on DC MY-PDC.
         * SPN found :LDAP/MY-PDC.mydom.ch/mydom.ch
         * SPN found :LDAP/MY-PDC.mydom.ch
         * SPN found :LDAP/MY-PDC
         * SPN found :LDAP/MY-PDC.mydom.ch/mydom
         * SPN found :LDAP/ea56c2b4-3a12-4eae-b4ac-3f75bfe50834._msdcs.mydom.ch
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ea56c2b4-3a12-4eae-b4ac-3f75bfe50834/mydom.ch
         * SPN found :HOST/MY-PDC.mydom.ch/mydom.ch
         * SPN found :HOST/MY-PDC.mydom.ch
         * SPN found :HOST/MY-PDC
         * SPN found :HOST/MY-PDC.mydom.ch/mydom
         * SPN found :GC/MY-PDC.mydom.ch/mydom.ch
         ......................... MY-PDC passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MY-PDC passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         MY-PDC is in domain DC=mydom,DC=ch
         Checking for CN=MY-PDC,OU=Domain Controllers,DC=mydom,DC=ch in domain DC=mydom,DC=ch on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch in domain CN=Configuration,DC=mydom,DC=ch on 1 servers
            Object is up-to-date on all servers.
         ......................... MY-PDC passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... MY-PDC passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034FA
            Time Generated: 01/07/2013   18:51:23
            (Event String could not be retrieved)
         ......................... MY-PDC failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:36:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:36:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:41:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:41:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:46:35
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:46:35
            (Event String could not be retrieved)
         ......................... MY-PDC failed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:24
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:27
            (Event String could not be retrieved)
         ......................... MY-PDC failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=MY-PDC,OU=Domain Controllers,DC=mydom,DC=ch and backlink on
         CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         are correct.
         Some objects relating to the DC MY-PDC have problems:
            [1] Problem: Missing Expected Value
             Base Object: CN=MY-PDC,OU=Domain Controllers,DC=mydom,DC=ch
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862
            [1] Problem: Missing Expected Value
             Base Object:
            CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
             Base Object Description: "DSA Object"
             Value Object Attribute Name: serverReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862
         ......................... MY-PDC failed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   Running partition tests on : mydom
      Starting test: CrossRefValidation
         ......................... mydom passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mydom passed test CheckSDRefDom
   Running enterprise tests on : mydom.ch
      Starting test: Intersite
         Skipping site Premier-Site-par-defaut, this site is outside the scope
         provided by the command line arguments provided.
         ......................... mydom.ch passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         PDC Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         Time Server Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         KDC Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         ......................... mydom.ch passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

I have looked into the linked KB article but I muss confess that I am not too sure which case would apply in my situation. Can you shed some light ?

Thanks

Unable to authenticate to domain\administrator AD Server 2003 R2

$
0
0

I am unable to authenticate with my domain\administrator (SID 500) account either as a service or at a login prompt.

I get this generic error:

"The System could not log you on.  Make sure your User name and domain are correct, then type your password again..."

As far as I can tell, all of my other accounts (including one I made last night to circumvent a problem this was causing) are logging in fine.  

All of my DC and AD checks seem to come back fine.

Recent history:

I've recently assumed responsibility for this network, and began suspecting that there may be DNS, Time Sync, and Domain issues.

Of the two DCs on the network, I found one of them had Tombstoned but I think was still being referenced by different servers (it would display when checking time, etc).

On Friday last week I promoted another 2003 server to DC (which gave me 2 working ones and a Tombstoned one).  On Monday I demoted the Tombstoned DC.  I tried to DCPromo it down, but it failed.  I then tried to repair as much of it as I could before I forced the demotion.  I then did a metadata cleanup.

The AD and DC checks are coming back looking well, and there doesn't seem to be anything suspicious in the event logs at this time.  Yay!

Before demoting the Tombstoned DC I began getting intermittent issues with my Backup Exec client.  As I would later learn, BackUp Exec was using the Domain\Administrator account for its Service Signon.  I don't know how exactly, but after Net Time and/or DNS updates it would always fix itself for a short while.  It was my suspicion that the Tombstoned DC was the cause of the problem, so I waited to see if getting rid of it would fix this issue.

My point with the BackupExec comment is that the timing of events makes me wonder what exactly was authenticating the Admin account...

Anyway, in order to get backups I created a new account for Backup Exec to use, and it is now happy.

But, the Domain/Administrator account is tied to lots of services throughout the network, so I am hoping that I can find a way to get it working again.  The fact that it's SID500 makes me a little nervous about loosing it too.  

Sorry for the length of this post, but I really appreciate any help that can be provided.

Jonathan

Active directory issue

$
0
0

Hi All,

need assitance with a weird issue.. We are able to  search few accounts in Child domain but not in  entire directory  in active directory (ADUC). Please note this objects are not lingering objects. This are the newly created objects.


Check for Kerberos ticket

$
0
0

Really simple question.  How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?

Would it be as simple as getting the user to run klist on their local machine?  Because klist will not show NTLM tickets correct?  It only shows kerberos tickets?

Server for NIS SunRPC Port

$
0
0

I would like to know how I can restrict the possible range of ports that Server for NIS (nissvc.dll) uses.  Every time it starts up it starts under a different port in a range somewhere around 550-1000 or so.  I believe clients find out what port it is on by querying the SunRPC server on port 111 first to find out where it is and then query it for NIS services.  Since I have deployed host-based firewalls, it would be great if I could control what port nssvc comes up on so I could configure a firewall rule for it.  Further, it would be great if I could find out what other IDMU services might use dynamic ports through SunRPC so I could also set up rules for them.  Anyone have any references for me?

Thanks in advance.

Rename a Single DC without ADC

$
0
0

HI!

We need to rename a single Windows 2003 R2 DC without transferring its roles to an ADC because we are preparing a new windows 2012 DC with the same Netbios name as the current one but the difference between these two DCs is:

Current DC: domain.local

New DC: domain.com

Is it possible to change the netbios name only on the current DC?

Thanks.


What is AD attribute of Protect Delete of OU and user ?

$
0
0

In windows 2008 , there is Protect Delete function of AD object.

What is AD attribute of Protect Delete of OU and user ?

Can't promote Windows Server 2003 member server to DC

$
0
0

I have a single domain Server 2003 forest with two domain controllers.  One of my DCs, which happened to hold all the FSMO roles, died earlier this week.  I seized the FMSO roles on the remaining DC and cleaned up metadata referring to the dead DC.  Now, I want to promote one of my member servers to be a DC but I'm running into a problem.

Each time I run dcpromo, I get through the wizard questions where it asks for the admin credentials and a password to assign to the directory services restore mode admin account, then it throws up the following error and reboots the server:

"The wizard is unable to determine the status of the Active Directory service on this computer"

I've analyzed the dcpromoui.log and compared it to the same log on remaining good DC (from when it was promoted years ago), and everything looks nearly identical until it gets to this point:

Enter DoubleCheckRoleChangeState
Enter EvaluateRoleChangeState
Enter MyDsRoleGetPrimaryDomainInformation
Enter MyDsRoleGetPrimaryDomainInformationHelper
Calling DsRoleGetPrimaryDomainInformation
lpServer : (null)
InfoLevel : 0x3 (DsRoleOperationState)
HRESULT = 0x800706BA
Exception caught
catch completed
handling exception

On the good DC, the same "DsRoleOperationState" check came up with this result:

Enter DoubleCheckRoleChangeState
Enter EvaluateRoleChangeState
Enter MyDsRoleGetPrimaryDomainInformation
Enter MyDsRoleGetPrimaryDomainInformationHelper
Calling DsRoleGetPrimaryDomainInformation
lpServer : (null)
InfoLevel : 0x3 (DsRoleOperationState)
HRESULT = 0x00000000
OperationState : 0x0

Of course, on the problem server the log ends shortly after that exception, while on the good DC the log shows that it ran through a number of additional checks and successfully promoted the server.

Any suggestions?  FWIW, the member server was configured to use the good DC, which is also an AD-Integrated DNS server, as its primary DNS server.  I have since configured the server to be a DNS server with a secondary DNS zone and have the server configured to use itself for DNS, but of course dcpromo still fails.


upgrade from Windows 2003 Enterprise to Windows 2008 Enterprise SP2?

$
0
0

Current clients of the network include Windows XP Pro and Windows 7 clients.  There are three Windows 2003 SP2 Enterprise domain controllers.  I need to move to a Windows 2008 AD environment.

1) Is it very difficult to do an in-place upgrade of a Windows 2003 Server domain controller to Windows 2008 SP2 domain controller?  Will the forest and domain need any sort of prepping?  Can I have two Windows 2008 DCs and one Windows 2003 DC coexist?

2) Windows XP and Windows 7 clients shouldn't have any problems working in Windows 2008 AD right?

3) What are the advantages/disadvantages between Windows 2008 SP2 and Windows 2008 R2 64-bit?  Will I lose out on anything crucial if I just stayed with Windows 2008 SP2?


Domain Trust and User Permissions

$
0
0

My organization is split up into two domains, a corporate domain (example.net) and a domain for external resources (example.biz) with a one-way transitive forest trust allowing .net users to authenticate in the .biz domain.  We have installed Team Foundation Server 2012 within the example.biz domain with the intent that our corporate users can access this resource and so we can provide external users access to this same resource without allowing them to gain entry into the corporate network.

The problem that we are facing is that when searching the directory for a user to grant access to either a file (security permissions) or group membership (ie: Team Foundation Administrators in TFS2012) on a member server during the "check names" lookup the users from the example.net domain are not found. I noticed that on our primary Domain Controller for our example.biz domain this is not a problem, you can add the .net users to groups on the Domain Controller and those groups can be used on any member servers within the example.biz domain however this is far from the granular premissions level that we need.

A poor example of this would be setting permissions for a file;

  • On the example.biz Domain Controller you can create a group called "ExampleDotNet Users", use the lookup and add users from the example.net domain into this security group.
  • On the example.biz Member Server within the a files security permissions you could grant access to the "ExampleDotNet Users" group and it will work as expected, however if you try to grant access to sally@example.net the lookup will fail to locate the user.

Is this a standard behavior of the type of trust that we have setup and I am just misunderstanding or should we be allowed to grant our example.net users explicit permissions?  Any assistance would be greatly appreciated.

Why delegated permissions are not inheritaning automatically from OU in AD

$
0
0

Hi


I am facing the issue that "delegated inheritable permissions from this object's parent is unchecked in users objects in OU in AD 2008 R2 environment.

I checked belwo article but the workaround given in this article is not working for me.

http://support.microsoft.com/?id=817433&wa=wsignin1.0

My main issue is my help-desk team is not able to reset, unlock or can say user management for randomly users not all in OU even-though we have provided the delegation rights the help-desk security group on the OU.

One thing more, only this issue started Monday (01/07/2013) and before that everything was working fine.

Please help me to resolve this issue.


Netlogon and SYSVOL shares are not created after DCPROMO in Windows 2003

$
0
0
Hi,


This is weird! I just do DCPROMO to add DC role in my Windows 2003 and the NETLOGON and SYSVOL shares are not created.
Is it normal or it takes time to be created?

Domain Trusts

$
0
0

Hi Sir/Mdm,

      I would like to know for Windows Server 2008, can I restrict domain administrator in the trusted domain to modify or view the domain administrator acct in the trusting domain.  I also would like to know what can the other domain see in my domain if i were to trust their domain.  Is there a way to enforce restriction on my domain so that they are only allowed to see certain things in my domain.  Can i share the folders in my domain to them without trusting their domain and is there a way to migrate my users in the AD without trusting their domain.  Please advise.


AdminSDHolder Object Affects Delegation of Control

$
0
0
Hi

I am facing the issue that "delegated inheritable permissions from this object's parent is unchecked in users objects in OU in AD 2008 R2 environment.

I checked belwo article but the workaround given in this article is not working for me.

http://support.microsoft.com/?id=817433&wa=wsignin1.0

My main issue is my help-desk team is not able to reset, unlock or can say user management for randomly users not all in OU even-though we have provided the delegation rights the help-desk security group on the OU.

One thing more, only this issue started Monday (01/07/2013) and before that everything was working fine.

Please help me to resolve this issue.

AD Trust - Conditional forwarder aganist secondary DNS zones

$
0
0

We are recently acquired a company and plan to setup a two way forest level trust ,i would like to know the advantage/disadvantage of setting up DNS conditional forwarder against setting up secondary DNS at each forest.


Karthik R

DCs on VMs and HyperV Host as Members

$
0
0

Hi,

I have got two Physical Servers which will be running Windows 2008 R2 - HyperV and i will be hosting one VM on each Host.

VM1 on Host1 - The VM1 will be configured as Main Domain Controller 

VM2 on Host2 - The VM2 will be configured as Additional Domain Controller

So once i have the Domain and Domain Controllers ready i want to join the HyperV hosts to the same domain eventually Host1 and Host2 will also be part of same domain which is created on VMs.

Is this setup acceptable and supported? Please suggest.

Note: I will surely disable time syn on the VMs with Host machines.

Regards,

Maqsood


Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

ADFS SSL certificate replacement

$
0
0

Hi guys,

Not sure if I have the correct forum, but I have a simple ADFS question.  We have ADFS working with Office365 and we need to replace our public SSL certificate for fs.contoso.com.  When we replace the cert, we are also having to replace the entire certificate chain(verisign).  What concerns should we have about changing the certificate chain?  Is it just that the redirection back to fs.contoso.com might give cert errors on older clients that do not have those certificates?  Should we push the new certificates through AD to help smooth things for older clients?  What about Outlook?  When Outlook connects it authenticates through ADFS and I think all that traffic is over 443, so are there any concerns there?

Thanks,

Dan


Dan Heim

Have multiple issues in domain

$
0
0

Hi,

I've few problems in my domain environment. Please help me to resolve this issue.

The domain setup as follows - One forest and One domain. Within a domain 4 DCs running with WS08 R2 SP1.

2 DCs in Australia and 2 DCs in US. PDCe located in Australia.

Output of dcdiag /e /q as follows -

            NtFrs Service is stopped on [SVAUAD01]
         ......................... SVAUAD01 failed test Services
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SVAUAD01 failed test frsevent
         Some objects relating to the DC SVAUAD01 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVAUAD01 failed test VerifyReferences
            NtFrs Service is stopped on [SVAUAD02]
         ......................... SVAUAD02 failed test Services
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SVAUAD02 failed test frsevent
         Some objects relating to the DC SVAUAD02 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVAUAD02 failed test VerifyReferences
            NtFrs Service is stopped on [SVUSAD01]
         ......................... SVUSAD01 failed test Services
         Some objects relating to the DC SVUSAD01 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVUSAD01 failed test VerifyReferences
            NtFrs Service is stopped on [SVUSAD02]
         ......................... SVUSAD02 failed test Services
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SVUSAD02 failed test frsevent
         Some objects relating to the DC SVUSAD02 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVUSAD02 failed test VerifyReferences

Output of dcdiag /v /c /d /s:DC_Name (Copying only error messages & see if that helps)

Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   14:40:10
            (Event String could not be retrieved)
         ......................... SVAUAD01 failed test frsevent

Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
            NtFrs Service is stopped on [SVAUAD02]
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SVAUAD02 failed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... SVAUAD02 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         SVAUAD02 is in domain DC=spendvision,DC=com
         Checking for CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com in domain DC=spendvision,DC=com on 4 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SVAUAD02,CN=Servers,CN=Sydney-AD,CN=Sites,CN=Configuration,DC=spendvision,DC=com in domain CN=Configuration,DC=spendvision,DC=com on 4 servers
            Object is up-to-date on all servers.
         ......................... SVAUAD02 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... SVAUAD02 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Error Event occured.  EventID: 0x00001057
            Time Generated: 01/02/2013   10:00:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:05:44
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:06:15
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:19:36
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:20:32
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   11:12:39
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   11:41:38
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   11:57:37
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000100B
            Time Generated: 01/02/2013   14:26:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000100B
            Time Generated: 01/02/2013   14:55:53
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000100B
            Time Generated: 01/03/2013   06:19:47
            (Event String could not be retrieved)
         ......................... SVAUAD02 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... SVAUAD02 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:23:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:24:04
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:24:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:25:20
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:25:58
            (Event String could not be retrieved)
         ......................... SVAUAD02 failed test systemlog
      Starting test: VerifyReplicas
         ......................... SVAUAD02 passed test VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com and backlink

         on

         CN=SVAUAD02,CN=Servers,CN=Sydney-AD,CN=Sites,CN=Configuration,DC=spendvision,DC=com

         are correct.
         Some objects relating to the DC SVAUAD02 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            The system object reference (serverReferenceBL)

            CN=SVAUAD02,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=spendvision,DC=com

            and backlink on

            CN=NTDS Settings,CN=SVAUAD02,CN=Servers,CN=Sydney-AD,CN=Sites,CN=Configuration,DC=spendvision,DC=com

            are correct.
         ......................... SVAUAD02 failed test VerifyReferences
      Starting test: VerifyEnterpriseReferences
         The following problems were found while verifying various important DN

         references.  Note, that  these problems can be reported because of

         latency in replication.  So follow up to resolve the following

         problems, only if the same problem is reported on all DCs for a given

         domain or if  the problem persists after replication has had

         reasonable time to replicate changes.
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [2] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [3] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [4] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            LDAP Error 0x5e (94) - No result present in message.
         ......................... SVAUAD02 failed test VerifyEnterpriseReferences


On top of this, there are "n" number of DFSR warning messages in Administrative Events on 3 DCs. The warning message - “DFS Replication service is stopping communication with partner SVAUAD01/AD02 for replication group domain system volume due to an error”. Event id - 5014

The above warning message also appears in SVUSAD01.

Please let me know how to resolve these issues.

Thanks,

Saravana

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>