Hi,
We are migrating Windows 2003 to 2012. Is it safe to isolate the schema master by disabling the outbound replication and then running ADPrep. After we have verified that the schema updated properly with no errors, then we can enable the outbound replications?
Thanks,
Hi Everyone,
I'm currently in the process of planning out the preparation of my work's production domains for 2012 R2 Domain Controllers. We're looking to run the ADPrep cmd's ahead of time before promoting the first 2012 R2 Domain Controllers into the fleet.
I'm reviewing the following Microsoft URL:
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx
specifically for the adprep /domainprep /gpprep cmd:
If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for later versions of Windows Server.
I was not around my current place of employment when we first built/promoted 2003 Domain Controllers, so I'm not 100% sure this command was run. Most likely it has, but we have no source of documentation to confirm.
Is there anyway to identify if the gpprep cmd has been run previously on your Active Directory Domains/Forests?
Thanks in Advance!
Simon.
I have an HTTP server that authenticates clients with Negotiate protocol. I can run the server both as a console application and as a windows service. I also use a specific domain account as a logon identity. The server calls SSPI AcquireCredentialsHandle
and AcceptSecurityContext and exchanges binary tokens with client. I can successfully login with another domain account from remote machines (probably via Kerberos) and from the same machine where the server is running (seems to be using NTLM) when the server
is running as a console application. However when I start it as a windows service I'm getting SEC_E_INVALID_HANDLE when I try to log in from the same machine where the server is running.
Here is how it happens:
1. Client sends HTTP GET request http://localhost:8082
2. Server responds with HTTP 401 and "WWW-Authenticate: Negotiate" header.
3. Client sends Authorization header and includes the following data:
607306062B0601050502 A0 693067 A0 30`s..+..... i0g 0302E060A2B06010401823702020A06090...+....7.....2A864882 F7 1201020206092A864886 F7 *H÷......*H÷12010202060A2B06010401823702021E......+....7...
A2 3304314E544C4D5353500001000000¢3.1NTLMSSP.....97 B2 08 E2 040004002D00000005000500².â....-.......280000000601 B1 1D0000000F50414345(.....±.....PACE4D424C4148 MBLAH 4.Server responds with HTTP 401 error and negotiate header prompting to continue:
A1 81 CE 3081 CB A0 030A0101 A1 0C060A2B¡Î0Ë ....¡...+06010401823702020A A2 81 B5 0481 B2 4E....7...¢µ.²N544C4D53535000020000000800080038 TLMSSP.........8I had to truncate a few lines...5.Client sends Authorization header:
A1 773075 A0 030A0101 A2 5A04584E544C¡w0u ....¢Z.XNTL4D535350000300000000000000580000 MSSP.........X..00000000005800000000000000580000.....X.......X..I had to truncate a few lines 6.Server responds with HTTP 200 and negotiate header:
A1 1B3019 A0 030A0100 A3 120410010000¡.0. ....£......004387 E0 88 C1 36 E3 A9 00000000.CàÁ6ã©....Now the step #6 works fine if the server is running in console mode, but fails with invalid handle error as a windows service. In both cases I'm using same domain accounts. Is there any additional privileges I need to grant to that user, or could be related
to some restrictions like session 0 isolation?
Here is the server code authenticating clients:
public static WinAuthResult Authenticate(string clientId, byte[] clientTokenBytes, string securityPackage, ILogger logger)
{
if (clientTokenBytes == null || clientTokenBytes.Length == 0)
{
ClearContext(clientId);
throw new Win32Exception(Secur32.SEC_E_INVALID_TOKEN);
}
var serverCredExpiry = new Secur32.SECURITY_INTEGER();
var serverCredHandle = new Secur32.SecHandle();
var acquireResult = Secur32.AcquireCredentialsHandle(null, securityPackage, Secur32.SECPKG_CRED_INBOUND, IntPtr.Zero, IntPtr.Zero, 0, IntPtr.Zero, out serverCredHandle, out serverCredExpiry);
if (acquireResult != Secur32.SEC_E_OK)
throw new Win32Exception(acquireResult);
var oldContextExists = contexts.ContainsKey(clientId);
var oldContextHandle = GetContextHandle(clientId);
var newContextHandle = new Secur32.SecHandle();
var clientToken = new Secur32.SecBufferDesc(clientTokenBytes);
var outputToken = new Secur32.SecBufferDesc(61440);
var contextAttributes = (uint)0;
var outputCresExpiry = new Secur32.SECURITY_INTEGER();
int acceptResult;
if (!oldContextExists)
{
acceptResult = Secur32.AcceptSecurityContext(
ref serverCredHandle,
IntPtr.Zero,
ref clientToken,
0,
Secur32.SECURITY_NATIVE_DREP,
ref newContextHandle,
ref outputToken,
out contextAttributes,
out outputCresExpiry);
}
else
{
acceptResult = Secur32.AcceptSecurityContext(
ref serverCredHandle,
ref oldContextHandle,
ref clientToken,
0,
Secur32.SECURITY_NATIVE_DREP,
ref newContextHandle,
ref outputToken,
out contextAttributes,
out outputCresExpiry);
}
if (acceptResult == Secur32.SEC_E_OK)
{
ClearContext(clientId);
return new WinAuthResult(false, outputToken.GetSecBufferByteArray());
}
else if (acceptResult == Secur32.SEC_I_CONTINUE_NEEDED)
{
contexts[clientId] = newContextHandle;
return new WinAuthResult(true, outputToken.GetSecBufferByteArray());
}
else
{
ClearContext(clientId);
throw new Win32Exception(acceptResult);
}
}
Greetings
I have two Sites in my Active Directory Domain (Production and DR Site); having one Domain Controller in each site running on Win Server 2008 R2.
I have enabled Security Auditing.
Several events are being triggered on the DR Site Domain Controller as mentioned below
---------------------------------------------------------------------------------------------------------
XX.XX.XX.XX||Security||593305315||Microsoft-Windows-Security-Auditing||5140||61||1447640869||4||<ServerName>.fqdn||||File Share||11||S-1-5-21-3237255069-2806970024-1613653209-11616||UserName||Site||0x379139d76||File||XX.XX.XX.XX||52848||\\*\IPC$||||0x1||%%4416-----------------------------------------------------------------------------------------------------
Please advise why these users are trying to access the file/service in DR Domain Controller.
I understand that this is not the Authentication.
Kindly advise
Thanks in advance.
Hi Team,
I have a scenario where servers in perimiter(DMZ) network must authenticate through a configured RODC.
Offline domain joining is done for member server (windows server 2008 R2 STD) followed by the below reference.
https://technet.microsoft.com/en-us/library/dd728035(v=ws.10).aspx#run_join_script
http://go.microsoft.com/fwlink/?LinkID=195444
Command used :
Djoin /Provision /Domain micra.local /Machine EMPIRE /SaveFile C:\WS2Join.txt On Server.
Djoin /RequestODJ /LoadFile C:\WS2Join.txt /WindowsPath %windir% /LocalOS On Member server
After Joining to domain , we tried to configure RODC DNS entry in Member server DNS configuration and tried to login with domain credentials. Authentication is failing due to the member is unable to find logon servers.
Please help us to find some solution to rectify the issue.
Thanks in Advance,
Nithin Nan
Hi,
I'm hoping that someone here might be able to help me out with an issue that I'm having where a GPO doesn't apply consistently.
We have group policies set up which lock a computer down for exams (disabling proofing tools in Word etc...) but there only seems to be about a 50/50 chance of the policies applying correctly. There is no obvious pattern to combinations of users and computers,
we can't guarantee that an account which successfully logs on to a computer once will subsequently be able to log on to that same computer correctly again.
I've looked through the Group Policy\Operational log and the only thing I can say with certainty is that when an account successfully logs on the loopback processing is set to Merge mode, if it doesn't apply properly LBP will have been set to Replace. It doesn't
appear to matter which DC the computer communicates with during log on.
I've checked all GPOs and in every case where LBP is configured on a policy it is set to Merge mode.
Has anyone got any bright ideas that may be able to help me as I'm out of ideas and Googling LBP just returns the same old "What is loopback processing?" articles.
Thanks!
In short, I have a new 2012R2 Server that I have installed AD DS on which is also hosting the forest. I have an older 2008R2 server that I am attaching to that existing forest and getting the following error message:
"The operation failed because:
The functional level of the forest is incompatible with this operating system.
"The version of the operating system is incompatible with the current AD DS forest functional level or AD LDS Configuration Set functional level. You must upgrade to a new version of the operating system before this server can become an AD DS Domain Controller or add an AD LDS Instance in this AD DS Forest or AD LDS Configuration Set."
This error can occur if you have not been granted necessary permissions to read data in the directory. For more information, please see article 936241 in the Microsoft Knowledge Base
**** On a side note, that link is broke.
Further info:
Configure this server as an additional Active Directory domain controller for the domain "corp.Eagle_2012R2.com".
Site: Default-First-Site-Name
Additional Options:
Read-only domain controller: "No"
Global catalog: Yes
DNS Server: Yes
Update DNS Delegation: No
Source DC: Eagle_2012R2.corp.Eagle_2012R2.com
Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server.
Any help greatly appreciated.
Hi,
I am getting error while running repadmin /syncall command from domain controller. When I ran repadmin /replsum command I can't see any failures too.Moreover I am able to ping the DC slc0012 from all other servers. RPC and LDAP ports are able to telnet from other DC's as well
C:\Users\santo>repadmin /syncall /APedHi,
I want code to retrieve EmployeeID from EmployeeFullName from active directories.
If I input the name as G N,Muanjunath, I need to get his employeeID using active directories.
Thanks
I am currently setting the logon hours of users in a domain. The user is only allow to log in on Monday to Friday, 8am - 6 pm. I have successful configure it. The question I want to ask is, is that possible to change the error message that user can see.
As the figure show above, the error message is "Your account has time restrictions that prevent you from signing in at this time. Please try again later." Is there a way of changing this message to something like "You can only log in at 8am - 6pm on every Monday to Friday."?
Hi, I have a strange situation here. I have 3 DC's, each in a different site.
DC5 is the PDC Emulator role holder and is in Site A
DC6 is in Site B
DC7 is in Site C
If I place a text file in the NetLogon folder of DC6, it replicates nearly instantly to DC5 and DC7. Same goes if I place a file in the NetLogon folder of DC7. However, nothing replicates from DC5 to DC6 or DC7. I have tried doing an authoritative sync from DC5 to the others, but it does not work.
On DC5, I see the message "The DFS Replication service successfully established an inbound connection with partner DC6 for replication group Domain System Volume. "
However, I do not see a similar message on DC5. I have also run various versions of the repadmin command, inluding repadmin syncall /APeD from DC5.
Can anyone assist with this? I am happy to provide whatever logs you wish to see. I feel like I must be missing something obvious.
Greetings,
Could please tell me what event ID in the security event log that refers to who changed the membership of the AD Builting Administrators group.
Thanks.
Redouane SARRA
Hello All...........I am running AD on Windows Server 2012. And I want to introduce Windows Server 2012 R2 as DCs in the current environment.
1. Do I need to take something into consideration before adding new DCs?
2. Would it cause any distress to existing DCs?
3. Would the new DCs start to AAA against users?
4. Do I need to first figure out what the location, site, subnet or Link cost before adding it?
5. Any other considerations that I must take?
6. I am doing this so that I can create IP Less DAG, so any considerations for that that I must take care?
Windows 7 Pro 64 bit computer working normally or recently rebooted. User tries to logon and the access denied message displays. I try to logon with local admin account and get the same error. Sometimes rebooting the pc will allow you to logon correctly
but we have had to boot into safe mode and choose "active directory repair" on several machines. This has happened on several windows 7 desktops and one 2008 r2 server running Terminal Services. We have about 80 user computers and so far 10 have
had this issue over the last month.
Our 2 DC servers are Windows 2008 R2. I couldn't find any AD errors.
To "fix" the pc we had to:
1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.
When a computer has the issue I cannot logon with the domain credentials or the local admin user credentials. Unplugging the network cable doesn't help. The only way to "fix" the issue is to boot into safe mode, login with local admin account and run msconfig, safe boot, active directory repair.
Does anyone know what Safeboot Active Directory repair does? I reboot into this mode and then I reboot again normally and the issue is resolved. If I knew what exactly happens when I boot into safe mode with active directory repair checked then maybe I can understand the problem more.