Nirmal Singh IT Administrator
Hello everyone!
To give you guys a general idea, this was what has happened:
I have 2 DCs on server 2008 R2 running Active Directory. DC1 is my primary domain controller witch holds all the FSMO roles. DC2 is my backup domain controller witch also runs MDT and WSUS.
Now, DC2 has crashed during the weekend and could not boot normally, so I decided to restore the server from my previously good backup image, because I didn't want to loose all my MDT configurations, images, etc.
I now think that this was my mistake. I have read that a domain controller shouldn't be recovered using a complete system image because that could leave Active Directory in a inconsistent state. Well, unfortunately that was exactly what happened.
My DC1 is ok and Active Directory seems to be running normally. My DC2 is up and running again but AD is not receiving replications from DC1. DC1 shows replication errors in AD events and system event viewer also shows "security-Kerberos" errors from DC2, witch points to some changes that I didn't make. Here´s that system error (I have removed my server names for obvious reasons):
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc2$. The target name used was "...". This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (...) is different from the client domain (..), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Can I restore my AD replication on my backup domain controller DC2 without reinstalling the server?
Thanks in advance.
Regards,
JPN
Hi all,
Is there any relation between a FQDN that is used in a SPN and suffix routing that might be configured between two forests with the using the same 'domain' suffix as was used in the FQDN on the SPN ?
Forest trust between forestA.com and ForestB.com; ForestB.com wil get a suffix registered for company.com and suffix routing will be enabled. (new user are created in ForestB with the UPN suffix @company.com)
However in forestA.com there are eg. resources with constrained delegation via service-accounts that use a SPN like HTTP\server.company.com which exist for services (eg webserver) in ForestA only.
For all I know, that last SPN part will be like a FQDN, or is this involved in the suffix-routing as well ?
The whole Kerberos ticketing would be based on http/server.company.com@forestA.com and would therefore not be routed to ForestB.com ? Or am I missing something?
TIA
Hi,
i wanted to check Active Directory replication. successful and fail event logs in 2008 .
Hi all,
I need a dedicated user, who has permissions to join a computer to a specific OU in the domain. I am trying to join a Linux Computer to the domain with realm. (see here chapter 3.3.2. Joining an Active Directory Domain)
I tried these steps: (see here)
If I try to join the computer to the domain, then the computer account is created, but no DNS entry. If I add my user to the group Domain Admins or Account Operators the join works correctly. (Computer account and DNS entry created)
How do I need to set the permissions for the dedicated user so he can join a computer to a specific OU?
It is a freshly installed Active Directory on a Windows Server 2012 R2.
Hi,
I need your help in order to resolve one of issue related to Outlook ( I assume)
I made the changes in designation of a user in AD but it did not replicate in Outlook. Now I noticed whatever changes made in AD, it is not replicating in Global Address List of Outlook but changes are present inAll Users.
I think this is the issue with Offline Address Book .
can somebody assist?
We're in a bit a pickle here.
We've set up a relying trust party for a third-party application, that requires the following claims rules:
SAM-Account-Name -> Given Name (this will be used for the username in the third-party application)
Given-Name -> Name ID
That all works well, but we're going to add external people now. The requirements are that the externals should use their email address as username, and that's giving us some issues.
We can't use an email address in the SAM-Account-Name due to pre-Windows 2000 ugliness. So we're not doing that. I've set up Alternate login for AD FS, using the mail attribute, and added a third claims rule:
Mail -> Given Name
Now, I wasn't expecting it to work, and of course it didn't.
I was thinking it might make more sense to create a custom rule, where I could use some logic to determine if the user's group is "External" (or something similar), and if so, send the Mail attribute as Given Name, instead of the SAM-Account-Name for internal users.
Would that work in the described scenario? And more importantly, if so, can anyone give me some pointers?
Thanks!
Hello All,
We have total 8 Domain, it almost contains approx. 150 Domain Controllers
For our Monitoring team, we want to provide a rights to reboot a Domain Controller after the monthly patches.
I tried them by Adding in Admin group, but they get a access to RDP a DC, which is not required.
Is there any way to provide a access only for DC reboot only.
Thanks HA
is there globalname zone in 2012 AD? I see it just in 2008 on WEB.
I have heard that there is some full WINS replacement feature in 2012R2?
Is it true?
What is it?
Thx.
--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis
One of the user account getting locked out frequently in 2008R2 AD environment. I have checked the event log 4740 in PDC emulator server shows caller machine as share path \\10.1.7.180
10.1.7.180 is xen server 6.5 version not sure why caller machine pointing to the share path.
I deleted the saved credentials in user’s laptop and disconnected the old session in the servers upon that also user id getting locked out frequently.
Refer the net logon errors
2/23 08:21:48 [LOGON] CDDO: SamLogon: Transitive Network logon of (null)\John from \\10.1.7.180 (via server20) Entered12/23 08:21:48 [LOGON] CDDO: SamLogon: Transitive Network logon of (null)\John from \\10.1.7.180 (via server20) Returns 0xC0000234
Hi all,
I would like to understand how Active Directory works under the hood. I've checked some labs/videos on MVA and those were quite good, but I would like to see the full picture, including the best tools to use during troubleshooting. I'm an MCTS in Active Directory 2008, so I know how to configure and administer an AD, but I wanna go further.
Could you please suggest some trainings/books/labs/videos or anything that can guide me through AD mechanism/troubleshooting?
Thank you & Kind regards,
Dvijne
I have a domain my.domain.com in forest domain.com, that had a bad incident. The PDCE died, and so the role went to another DC, one that was behind a firewall from one of my remote DCs (remote.my.domain.com).
It took a while before it was discovered and the problem escalated to me.
The PDCE role was late moved to another DC that is not firewalled, but the remote DC didn't get the message and is somewhat broke. For instance, Forest Enterprise Admin credentials womn't work to log into it, and it has various errors in DCdiag.
What can I do to fix my remote domain controller so it syncs up with the new PDC?
just david
My company's Min Sec Baseline requires this setting at '1' ". . . The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s."
When set to (1) 'Accept if provided by client' on a 2012R2 file server, attempt to access the share using a DNS alias (of the server name) fail with message "You do not have permissions to access <share name>". When set to (0) 'Off', the same access works.
Checking SPNs of the file server, I see the alias exists as SPNs
HOST/<alias>
HOST/<alias.domain.com>
What are we missing? Do I have it correct, that the client is passing this alias SPN, and that this same SPN, if it shows on the list of SPNs of the server (setSPN -L), is what the server checks against? And if yes, shouldn't this then be working?
Tony Auby
Hi
We have a situation in our network. An IT Guy that not available either configured a child domain for one our office that this office have unstable connection over a PtP wireless link.
Now , when the connection between headquarter and this office drop , nobody can login to child domain at that office and everything goes to lock-down. I haven't any idea to diagnose this problem because all other sites that configured by me is OK!
Hello Experts,
I am creating a forest trust between two different domains abc.com and xyz.com, now I need to know is it possible to make an account in the xyz.com that has only the rights to create a forest trust as the account is used while creating a trust from abc.com domain. Secondly I need to know that is it possible for the xyz.com domain administrator to only share an AD group existed in the xyz.com to abc.com domain meaning that abc.com domain administrator can see users of only a specific group in the xyz.com domain.
Thank You.
TechSpec90
Greetings all
I want a command-line which enables me to force all DCs in the same Active Directory Site or Forest to replicate all possible Naming Contexts with there replication partners any suggestions ?
And also how you can determine which DC is the Primary Replication Partner of a DC and which DCs are Secondary Replication Partners ?
Hi
I have domain controller and many client join to the domain win xp or vista and 7 and 8 ,10 so i need more security on the clients like when users login from any client join to the domain can't see like control panel or any thing administrator need to hide so when i did that from group policy on the domain nothing changed on the client just i need to know the policy for start this
Regards
Hi Team
Please help me on below:
Scenario as below :
We have 2 different forest with two-way forest trust.
Also setup a ADMT server on member server of the target domain. While migrating user account from source domain SID is not getting migrate, getting below error ,
ERR2:7111 Failed to add sid history for USER001 to USER001. RC-1753
Please help on this
Thank you in advance!
Pradip Sisodiya
HI all,
Recently couple users after changing the password , found that the password is not syncing with all the application,
So we logged into the DC and checked and it was working fine, the next level found the prob that two services related to password sync was stopped , then they restarted and issue got fixed.
I want to know how to find this two services, which is responsible syncing the password
Aamir
NA