Hi,

As part of my AD 2003 to 2008R2 upgrade, I am poking about in the domain to see if there are any certificate authorities configured, etc.

I have found that there appears to have been a windows 2000 domain controller in the 2002-2005 timeframe that was configured as an enterprise root certificate authority. As far as I can tell, there are no applications or services that depend on that (the DC in question was removed around 2005, many years before my time at this employer!), subsequently several 2003 DCs were created.

I have, however, discovered that each and every domain joined computer seems to have a certificate listed under intermediate certification authorities (valid 10/29/2003 to 10/29/2005) that lists the DNS domain name in the issued to and issued by fields. The CRL distribution point lists the old domain controller name. I am trying to find out WHERE this certificate is coming from and not having much success so far. The last computer added to the domain (a new 2008R2 domain controller) also gets this certicate added under Intemediate Certification Authorities, so whatever mechanism used to deploy this certificate throughout the domain still is active.

My best guess was maybe a manual deployment via a GPO, and the default domain policy would make most sense, but I have checked there under Computer Configuration | Policies | Security Settings | Public Key Policies | (checked all nodes here, but especially Intermediate Certification Authorities node).

I will manually look through each policy I guess (there are several dozen), but does anyone have any insight? Maybe I am approaching this wrongly?

I tried to model GP Modeling for a particular server object, only a couple of policies are applied as far as I can tell, but I haven't found any certs being deployed by those policies. Is it possible this is a User Configuration Policy somewhere I wonder? I thought you couldn't deploy to Intermediate Cert Authorities node with a user policy?

I am unable to authenticate with my domain\administrator (SID 500) account either as a service or at a login prompt.

I get this generic error:

"The System could not log you on.  Make sure your User name and domain are correct, then type your password again..."

As far as I can tell, all of my other accounts (including one I made last night to circumvent a problem this was causing) are logging in fine.  

All of my DC and AD checks seem to come back fine.

Recent history:

I've recently assumed responsibility for this network, and began suspecting that there may be DNS, Time Sync, and Domain issues.

Of the two DCs on the network, I found one of them had Tombstoned but I think was still being referenced by different servers (it would display when checking time, etc).

On Friday last week I promoted another 2003 server to DC (which gave me 2 working ones and a Tombstoned one).  On Monday I demoted the Tombstoned DC.  I tried to DCPromo it down, but it failed.  I then tried to repair as much of it as I could before I forced the demotion.  I then did a metadata cleanup.

The AD and DC checks are coming back looking well, and there doesn't seem to be anything suspicious in the event logs at this time.  Yay!

Before demoting the Tombstoned DC I began getting intermittent issues with my Backup Exec client.  As I would later learn, BackUp Exec was using the Domain\Administrator account for its Service Signon.  I don't know how exactly, but after Net Time and/or DNS updates it would always fix itself for a short while.  It was my suspicion that the Tombstoned DC was the cause of the problem, so I waited to see if getting rid of it would fix this issue.

My point with the BackupExec comment is that the timing of events makes me wonder what exactly was authenticating the Admin account...

Anyway, in order to get backups I created a new account for Backup Exec to use, and it is now happy.

But, the Domain/Administrator account is tied to lots of services throughout the network, so I am hoping that I can find a way to get it working again.  The fact that it's SID500 makes me a little nervous about loosing it too.  

Sorry for the length of this post, but I really appreciate any help that can be provided.

Jonathan

Hi All,

need assitance with a weird issue.. We are able to  search few accounts in Child domain but not in  entire directory  in active directory (ADUC). Please note this objects are not lingering objects. This are the newly created objects.

Really simple question.  How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?

Would it be as simple as getting the user to run klist on their local machine?  Because klist will not show NTLM tickets correct?  It only shows kerberos tickets?

I would like to know how I can restrict the possible range of ports that Server for NIS (nissvc.dll) uses.  Every time it starts up it starts under a different port in a range somewhere around 550-1000 or so.  I believe clients find out what port it is on by querying the SunRPC server on port 111 first to find out where it is and then query it for NIS services.  Since I have deployed host-based firewalls, it would be great if I could control what port nssvc comes up on so I could configure a firewall rule for it.  Further, it would be great if I could find out what other IDMU services might use dynamic ports through SunRPC so I could also set up rules for them.  Anyone have any references for me?

Thanks in advance.

HI!

We need to rename a single Windows 2003 R2 DC without transferring its roles to an ADC because we are preparing a new windows 2012 DC with the same Netbios name as the current one but the difference between these two DCs is:

Current DC: domain.local

New DC: domain.com

Is it possible to change the netbios name only on the current DC?

Thanks.

In windows 2008 , there is Protect Delete function of AD object.

What is AD attribute of Protect Delete of OU and user ?

I have a single domain Server 2003 forest with two domain controllers.  One of my DCs, which happened to hold all the FSMO roles, died earlier this week.  I seized the FMSO roles on the remaining DC and cleaned up metadata referring to the dead DC.  Now, I want to promote one of my member servers to be a DC but I'm running into a problem.

Each time I run dcpromo, I get through the wizard questions where it asks for the admin credentials and a password to assign to the directory services restore mode admin account, then it throws up the following error and reboots the server:

"The wizard is unable to determine the status of the Active Directory service on this computer"

I've analyzed the dcpromoui.log and compared it to the same log on remaining good DC (from when it was promoted years ago), and everything looks nearly identical until it gets to this point:

Enter DoubleCheckRoleChangeState
Enter EvaluateRoleChangeState
Enter MyDsRoleGetPrimaryDomainInformation
Enter MyDsRoleGetPrimaryDomainInformationHelper
Calling DsRoleGetPrimaryDomainInformation
lpServer : (null)
InfoLevel : 0x3 (DsRoleOperationState)
HRESULT = 0x800706BA
Exception caught
catch completed
handling exception

On the good DC, the same "DsRoleOperationState" check came up with this result:

Enter DoubleCheckRoleChangeState
Enter EvaluateRoleChangeState
Enter MyDsRoleGetPrimaryDomainInformation
Enter MyDsRoleGetPrimaryDomainInformationHelper
Calling DsRoleGetPrimaryDomainInformation
lpServer : (null)
InfoLevel : 0x3 (DsRoleOperationState)
HRESULT = 0x00000000
OperationState : 0x0

Of course, on the problem server the log ends shortly after that exception, while on the good DC the log shows that it ran through a number of additional checks and successfully promoted the server.

Any suggestions?  FWIW, the member server was configured to use the good DC, which is also an AD-Integrated DNS server, as its primary DNS server.  I have since configured the server to be a DNS server with a secondary DNS zone and have the server configured to use itself for DNS, but of course dcpromo still fails.

Current clients of the network include Windows XP Pro and Windows 7 clients.  There are three Windows 2003 SP2 Enterprise domain controllers.  I need to move to a Windows 2008 AD environment.

1) Is it very difficult to do an in-place upgrade of a Windows 2003 Server domain controller to Windows 2008 SP2 domain controller?  Will the forest and domain need any sort of prepping?  Can I have two Windows 2008 DCs and one Windows 2003 DC coexist?

2) Windows XP and Windows 7 clients shouldn't have any problems working in Windows 2008 AD right?

3) What are the advantages/disadvantages between Windows 2008 SP2 and Windows 2008 R2 64-bit?  Will I lose out on anything crucial if I just stayed with Windows 2008 SP2?

My organization is split up into two domains, a corporate domain (example.net) and a domain for external resources (example.biz) with a one-way transitive forest trust allowing .net users to authenticate in the .biz domain.  We have installed Team Foundation Server 2012 within the example.biz domain with the intent that our corporate users can access this resource and so we can provide external users access to this same resource without allowing them to gain entry into the corporate network.

The problem that we are facing is that when searching the directory for a user to grant access to either a file (security permissions) or group membership (ie: Team Foundation Administrators in TFS2012) on a member server during the "check names" lookup the users from the example.net domain are not found. I noticed that on our primary Domain Controller for our example.biz domain this is not a problem, you can add the .net users to groups on the Domain Controller and those groups can be used on any member servers within the example.biz domain however this is far from the granular premissions level that we need.

A poor example of this would be setting permissions for a file;

• On the example.biz Domain Controller you can create a group called "ExampleDotNet Users", use the lookup and add users from the example.net domain into this security group.
• On the example.biz Member Server within the a files security permissions you could grant access to the "ExampleDotNet Users" group and it will work as expected, however if you try to grant access to sally@example.net the lookup will fail to locate the user.
  

Is this a standard behavior of the type of trust that we have setup and I am just misunderstanding or should we be allowed to grant our example.net users explicit permissions?  Any assistance would be greatly appreciated.

Hi

Hi Sir/Mdm,

      I would like to know for Windows Server 2008, can I restrict domain administrator in the trusted domain to modify or view the domain administrator acct in the trusting domain.  I also would like to know what can the other domain see in my domain if i were to trust their domain.  Is there a way to enforce restriction on my domain so that they are only allowed to see certain things in my domain.  Can i share the folders in my domain to them without trusting their domain and is there a way to migrate my users in the AD without trusting their domain.  Please advise.

We are recently acquired a company and plan to setup a two way forest level trust ,i would like to know the advantage/disadvantage of setting up DNS conditional forwarder against setting up secondary DNS at each forest.

Karthik R

Hi,

I have got two Physical Servers which will be running Windows 2008 R2 - HyperV and i will be hosting one VM on each Host.

VM1 on Host1 - The VM1 will be configured as Main Domain Controller 

VM2 on Host2 - The VM2 will be configured as Additional Domain Controller

So once i have the Domain and Domain Controllers ready i want to join the HyperV hosts to the same domain eventually Host1 and Host2 will also be part of same domain which is created on VMs.

Is this setup acceptable and supported? Please suggest.

Note: I will surely disable time syn on the VMs with Host machines.

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

Hi guys,

Not sure if I have the correct forum, but I have a simple ADFS question.  We have ADFS working with Office365 and we need to replace our public SSL certificate for fs.contoso.com.  When we replace the cert, we are also having to replace the entire certificate chain(verisign).  What concerns should we have about changing the certificate chain?  Is it just that the redirection back to fs.contoso.com might give cert errors on older clients that do not have those certificates?  Should we push the new certificates through AD to help smooth things for older clients?  What about Outlook?  When Outlook connects it authenticates through ADFS and I think all that traffic is over 443, so are there any concerns there?

Thanks,

Dan

Dan Heim

Hi,

I've few problems in my domain environment. Please help me to resolve this issue.

The domain setup as follows - One forest and One domain. Within a domain 4 DCs running with WS08 R2 SP1.

2 DCs in Australia and 2 DCs in US. PDCe located in Australia.

Output of dcdiag /e /q as follows -

            NtFrs Service is stopped on [SVAUAD01]
         ......................... SVAUAD01 failed test Services
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SVAUAD01 failed test frsevent
         Some objects relating to the DC SVAUAD01 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVAUAD01 failed test VerifyReferences
            NtFrs Service is stopped on [SVAUAD02]
         ......................... SVAUAD02 failed test Services
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SVAUAD02 failed test frsevent
         Some objects relating to the DC SVAUAD02 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVAUAD02 failed test VerifyReferences
            NtFrs Service is stopped on [SVUSAD01]
         ......................... SVUSAD01 failed test Services
         Some objects relating to the DC SVUSAD01 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVUSAD01 failed test VerifyReferences
            NtFrs Service is stopped on [SVUSAD02]
         ......................... SVUSAD02 failed test Services
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SVUSAD02 failed test frsevent
         Some objects relating to the DC SVUSAD02 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... SVUSAD02 failed test VerifyReferences

Output of dcdiag /v /c /d /s:DC_Name (Copying only error messages & see if that helps)

Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   14:40:10
            (Event String could not be retrieved)
         ......................... SVAUAD01 failed test frsevent

Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
            NtFrs Service is stopped on [SVAUAD02]
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SVAUAD02 failed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... SVAUAD02 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         SVAUAD02 is in domain DC=spendvision,DC=com
         Checking for CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com in domain DC=spendvision,DC=com on 4 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SVAUAD02,CN=Servers,CN=Sydney-AD,CN=Sites,CN=Configuration,DC=spendvision,DC=com in domain CN=Configuration,DC=spendvision,DC=com on 4 servers
            Object is up-to-date on all servers.
         ......................... SVAUAD02 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... SVAUAD02 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Error Event occured.  EventID: 0x00001057
            Time Generated: 01/02/2013   10:00:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:05:44
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:06:15
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:19:36
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000003E8
            Time Generated: 01/02/2013   10:20:32
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   11:12:39
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   11:41:38
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x000005FA
            Time Generated: 01/02/2013   11:57:37
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000100B
            Time Generated: 01/02/2013   14:26:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000100B
            Time Generated: 01/02/2013   14:55:53
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000100B
            Time Generated: 01/03/2013   06:19:47
            (Event String could not be retrieved)
         ......................... SVAUAD02 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... SVAUAD02 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:23:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:24:04
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:24:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:25:20
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 01/03/2013   06:25:58
            (Event String could not be retrieved)
         ......................... SVAUAD02 failed test systemlog
      Starting test: VerifyReplicas
         ......................... SVAUAD02 passed test VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com and backlink

         on

         CN=SVAUAD02,CN=Servers,CN=Sydney-AD,CN=Sites,CN=Configuration,DC=spendvision,DC=com

         are correct.
         Some objects relating to the DC SVAUAD02 have problems:
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            The system object reference (serverReferenceBL)

            CN=SVAUAD02,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=spendvision,DC=com

            and backlink on

            CN=NTDS Settings,CN=SVAUAD02,CN=Servers,CN=Sydney-AD,CN=Sites,CN=Configuration,DC=spendvision,DC=com

            are correct.
         ......................... SVAUAD02 failed test VerifyReferences
      Starting test: VerifyEnterpriseReferences
         The following problems were found while verifying various important DN

         references.  Note, that  these problems can be reported because of

         latency in replication.  So follow up to resolve the following

         problems, only if the same problem is reported on all DCs for a given

         domain or if  the problem persists after replication has had

         reasonable time to replicate changes.
            [1] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [2] Problem: Missing Expected Value

             Base Object:

            CN=SVAUAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [3] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD01,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [4] Problem: Missing Expected Value

             Base Object:

            CN=SVUSAD02,OU=Domain Controllers,DC=spendvision,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            LDAP Error 0x5e (94) - No result present in message.
         ......................... SVAUAD02 failed test VerifyEnterpriseReferences

On top of this, there are "n" number of DFSR warning messages in Administrative Events on 3 DCs. The warning message - “DFS Replication service is stopping communication with partner SVAUAD01/AD02 for replication group domain system volume due to an error”. Event id - 5014

The above warning message also appears in SVUSAD01.

Please let me know how to resolve these issues.

Thanks,

Saravana