Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Trouble Promoting 2012 Domain Controller to 2008 Domain Controllers

January 11, 2016, 6:37 am
$
0
0

Good day,

I am experiencing trouble when I am attempting to promote my newly built 2012 DC to my 2008 Domain. I get the following error:

------------------

Adprep failed while performing Exchange Schema Check.

[Status\Consequence]

The active Directory Domain Services schema is not upgraded.

[User Action]

Check the log file ADPrep.log in the C:\... directory for possible cause of failure.

[2016/01/04:12:27:03.479]

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied.

------------------
My user account is a part of the Schema administrators.  I have searched online but none of the solutions I found have worked.  Any ideas?

Search

Active directory Site and services

January 11, 2016, 6:02 am
$
0
0

Dear MS Domain professional ,

I got it many unknown name from Active directory site and services why is problem is happened can i delete ?

please could you see my below images regards

Subash 

Generating Event ID 91, 44 with CA (In Event Viewer with source as Certsvc)

September 12, 2010, 3:48 am
$
0
0

Hi

We are in the process of Migrating Win 2003 AD to Win2008 R2. When we noticed the logs we found many errors and warning alerts for CA as below

--Could not connect to the Active Directory. Certificate Services will retry when processing requires Active Directory access. (Event ID 91)----Certificate Services SAGIA CA can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. (Event ID 94, Warning)--                                                                                                        -The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355). The Active Directory containing the Certification Authority could not be contacted. (Event ID 44)--

These warnings and error alerts are generating for more than 2 years time, but we never noticed it (CA is installed in DC). Mainly we are using the CA for EFS and for some of the internal web sites. These errors are appearing immediately after restarting the Server, currenlt CA is working fine and issueing certificates without any issues. Please help us to correct all these warning before heading to the Migration process

Regards
LMS

 

 

Domain Users group mischevious behaviour

January 11, 2016, 7:26 am
$
0
0

Hi

In a domain environment when does the modification date for group gets modified? is it only with addition/removal of members ?

i have case that domain users group which gets every new user account as default member is not getting its modification date modified.

no tech net shows this bit/attribute information on when the date will be modified.

Regards Sushain KApoor

How to find out on which computers a domain user is currently logging on?

January 11, 2016, 8:08 am
$
0
0

I have a domain user and his domain account is constantly locked out every 30 minutes, or when he logs off one PC and goes to another PC. I suspect he is currently logging on a workstation somewhere and had his password changed at another computer. This makes old and new password conflict!

I tried to us psloggedon.exe but I got error messages as said below:

psloggedon \domainname\username = Error opening hkey_users for \domainname\username, unable to query resource logons

psloggedon \\computername - I tested to see on one PC where I logged on and I had same error message when I queried by user's name

psloggedon username - it gave me error message "error browsing network: The network location cannot be reached"

What did I do wrong? Is there a better way to querry which computers user is currently logging on?

I have no powershell experience and I can not access to domain controller, is there something I can do to achieve my task? thanks.

Thang Mo

vb.net how to retrieve nested distribution Groups for a member

January 11, 2016, 5:51 am
$
0
0

Using directory services, I have code that will get me all the nested security groups for a member. However, I cannot seem to get the distribution groups for that member. Is there any sample vb.net code that will show me what I need to do? 

DCDIAG /test:DNS The host could not be resolved to an IP address

December 16, 2015, 8:42 am
$
0
0

Hi ,

We have an issue with our Domain Controller which is used as Domain Naming Master

DCDIAG /Test:DNS is giving an error 

Doing initial required tests

   Testing server: ILO\IDEAROOT
      Starting test: Connectivity
         The host 6dd8de55-2055-4c55-aa55-18ce24d4dc55._msdcs.IDEA.ad
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... IDEAROOT failed test Connectivity

Doing primary tests

   Testing server: ILO\IDEAROOT

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... IDEAROOT passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : IDEA

   Running enterprise tests on : idea.ad
      Starting test: DNS
         Test results for domain controllers:

            DC: IDEARoot.IDEA.ad
            Domain: IDEA.ad

TEST: Records registration (RReg)
                  Network Adapter [00000015] vmxnet3 Ethernet Adapter:
                     Warning:
                     Missing A record at DNS server 10.170.162.100:
                    IDEARoot.idea.ad

                     Error:
                     Missing SRV record at DNS server 10.170.162.100:
                     _ldap._tcp.idea.ad

                     Error:
                     Missing SRV record at DNS server 10.170.162.100:
                     _kerberos._tcp.idea.ad

                     Error:
                     Missing SRV record at DNS server 10.170.162.100:
                     _kerberos._udp.idea.ad

                     Error:
                     Missing SRV record at DNS server 10.170.162.100:
                     _kpasswd._tcp.idea.ad

                     Error:
                     Missing SRV record at DNS server 10.170.162.100:
                     _ldap._tcp.ilo._sites.idea.ad

                     Error:
                     Missing SRV record at DNS server 10.170.162.100:
                     _kerberos._tcp.ilo._sites.idea.ad

                     Error:
                     Missing SRV record at DNS server 10.170.162.100:
                     _gc._tcp.ilo._sites.idea.ad

               Error: Record registrations cannot be found for all the network
               adapters

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 10.170.162.100 (IDEAROOT)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.idea.ad. faile
d on the DNS server 10.170.162.100

I checked the DNS the entry 6dd8de55-2055-4c55-aa55-18ce24d4dc55._msdcs.IDEA.ad exist .

Do you have any idea how I can resolve this issue?

Odd behavior when trying to transfer FSMO roles (2003-2008)

December 13, 2015, 2:06 pm
$
0
0

This relates to 2003 to 2008 migration:

4 DCs, 2 are 2003R2 , 2 are 2008R2 Lets call the current 2003 FSMO holder DC1 (has all roles) Lets call the future 2008 FSMO holder DC4 2003 native mode AD

everything seems kosher, replication is fine, dcdiags check out etc..

Now the question.. which server do you transfer the roles from? I get a weird behavior I have not seen before

for RID/PDC/Infrastructure I can go to DC4 -> operations masters -> and for current it shows DC1 and in the "target" field it shows DC4

but if on DC4 I try this for schema/domain naming role BOTH fields show DC1...

If in mmc on DC4 I try to "connect to a domain controller" (lets say for schema role) and I pick DC4 it lets me, with a warning that It's not the current FSMO holder and I won't be able to make changes which seems logical, but I also don't believe it changes the trasfer dialog for schema that still says DC1/DC1).

Here's the even more odd part... if I try schema/domain name transfer on DC1 , that one actually shows DC1 as current holder and DC4 as transfer... but remember I'm on DC1 now so how did it by some miracle evil-wizard logic pick the one I wanted?

I have not transferred any of the roles yet, simply looked at the GUI and stopped there for now..

Is this normal? Does it matter who does the transfer as long as the GUI dialog shows proper servers? Anyone seen this before?

Thank you

PS: Does anyone know if MS will support this case? I tried calling but it was very after hours on saturday so we'll try again, I know 2003 is out but this seems like a 2008 issue so I'm hopeful they are able to assist us.


Search

Possible to change this script to only add specific memberships?

January 7, 2016, 7:33 am
$
0
0

Hello,

I would like to use this script to copy specific group memberships: https://gallery.technet.microsoft.com/Compare-group-membership-36dfa920

I would like to copy only memberships to start with "FS_..." It is possible to use a filter or something else in this script?

Tracking users Audit events in Domain Controller

January 12, 2016, 1:00 am
$
0
0

I would like to track Security Events across the domain.  Among the issues I want to track:

1) Domain User logins to a Domain Workstation (Remotely or locally)

2) Local User logins to a Domain Workstation

3) Specific file changes happening on a Domain Workstation

Can I simply capture the Security events on a the Domain Controller, or do I need to forward the Security Events from the machines as well?

Thanks,

Security Event 4726 (user account deleted) logged when a user account created by copy option.

January 7, 2016, 3:59 am
$
0
0

Hello,

I see a weird issue on my win 2008 R2 ADDS, one of my colleague created a new user account using copy option (so that group membership and other common attributes do not want to add) but it logged three user creation Security Event 4720  and two user deletion Security Event 4720 at the shot span of time. I could see similar issue for couple of other accounts when I checked deleted object using LDP tool. 

I tried to reproduce the issue by creating new account in similar way but this time case was normal. There was only event for account creation.

Should I concern about this? what would be the reason for this?

Please have a look at the events, please note the SIDs are in series and the SID for the account is now -1881



AD Error 1126 and Warning 1925

January 12, 2016, 5:46 am
$
0
0

Hello,

Recently I have discovered these two errors in the Active Directory Domain Services section of the Server Manager.

Our setup is a relatively basic setup, with 2 domain controllers for one domain, DC1 and DC2, running on Server 2008 R2. Both of these domain controllers are configured to be global catalog servers. 

Error 1126 states "Active Directory was unable to establish a connection with the global catalog". After discovering this, I verified that both of the domain controllers are set up to be global catalog servers, and that both of the DCs are able to ping each other and themselvs by both domain name and IP address.

I started noticing issues when attempting to update the default domain policy present on the domain to update a password policy. The change was not taking effect, and when trying to run a gpupdate /force, the user policy would update successfully, but the computer policy would not update successfully, stating that Windows could not resolve the computer name. 

Everything else with the domain controller seems to be working fine, users are able to authenticate to the domain and log in user their domain credentials, I just cannot update the domain policy.

I am thinking there must be something wrong with DNS based off of the errors/warning and the message that occurs when the gpupdate /force fails, but have not been able to figure out what the problem is.

Issue with msDS-Behavior-Version

January 3, 2016, 6:10 am
$
0
0

We have some RODC , which we upgraded from 2008R2 to 2012R2 .But the msDS-behavior-Version value in NTDS Settings did not change automatically to 6.It is still 4.Can we update attribute manually using adsiedit. Will there be any impact?

Thanks,

Vijayaragavan S

Computers unable to Virtual resources

January 12, 2016, 9:34 am
$
0
0

We are having some weird issue this morning. some computer unable to go to any resource in virtual environment (only 1 cluster). but can access physical servers. one DC is virtual and the other is Physical. we rejoin the domain, gave static IP, delete computer acc etc. nothing works

AD replicating fine, not DNS issue, no network alerts.

anyone logon to that particular machine having same issue. Same users can login in other computers and they are fine

help needed urgent

thanks

numan

AD Migration from abc to xyz

October 13, 2015, 6:30 am
$
0
0

HI all

Our company abc is getting merged with xyz and hence all the AD needs to be migrated from abc.com to xyz.com

Please let us know how to proceed on this?

Search

dns cache error

April 12, 2012, 10:24 pm
$
0
0

The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.

We have done and IPconfig flush and register on client machines?

kits

LDAP Chaining Support in AD LDS

June 2, 2014, 1:52 pm
$
0
0
Directory experts, can anyone tell me if AD LDS supports LDAP chaining? Note that I am talking specifically about chaining and not referrals.

For example, Contoso has an AD LDS server (hosting the 'O=Contoso,C=US' naming context) and Fabrikam has an AD LDS server (hosting the 'O=Fabrikam,C=US' naming context). Contoso users use Outlook LDAP address book to search their local AD LDS server for Fabrikam recipients. Is it possible to configure the Contoso AD LDS server to relay LDAP search requests to the Fabrikam AD LDS server. In this scenario Contoso are not permitted to store information about Fabrikam users on the Contoso AD LDS server.

Many thanks in advance.

Tom Houston, UK Identity Management Practice








Windows Domain Rename or Migration

January 12, 2016, 2:43 am
$
0
0

Hi Gang,So we have a name change about 6/7 months ago - say from exampleA.com to exampleB.com - but with no time to plan a migration we settled on creating an alternative UPN along with appropriate DNS records. It appears to ends users and clients that we're officially on the new domain. The time is now to move from the original domain (exampleA to exampleB), and it is of preference to start completely from scratch; as it has been around for several years and even with a tidy, it still is all over the place.So we clearly wish to start from scratch, but the answer is, how does this affect the migration process for accounts, computers, passwords and so forth from the fact that we have utilized UPN and DNS records with the new domain exampleB. Maybe we shouldn't bother migrating accounts? Just go with creating all new objects, OUs, servers and what not (we're approximately 120 users)Current topology: 5 Domain controllers of which four are 2008 R2 DC and the other being 2003 R2 Enterprise):Two 2008 R2DCs located in Texas and Canberra; the final three (two 2008 and one 2003) located in the London.Domain function level is Windows Server 2003. Forest function level is Windows 2000.So, what I am asking is could you all give some opinions, advice and content to read? Tips of what went well or what didn't or what you had done before commencing this project and so on. Would love input on this from you fellow IT dudes and girls!

To recap, we’re still on an original domain (exampleA) but have created UPNs and appropriate DNS records to make it appear to clients and end users that we are on the new domain (exampleB). If we were to migrate how would this affect it all?

Will be spinning up some VMs to do some test runs.

Thanks for reading and offering advice in advance!

Thanks,

Daniel

Policy to set attribute values when an object is moved into an OU

January 12, 2016, 5:20 pm
$
0
0

Hi'  

in this case I need a Contact objects' attribute 'msExchHideFromAddressLists' updated when moved to or created in an OU.  I need that AD Object to inherit from a policy that applies to that OU.  I realize that I can do this with Powershell but that would be a manual update.  It would be very helpful if Group Policy could extend by including the ability to control/set object attributes as well.  Im not aware of any tool or software that can do this.  Looking for feedback please.

~Chad

ADFS SSO for mobile

January 12, 2016, 12:50 pm
$
0
0

Hi,

Our team would like to support SSO on mobiles, and to configure a redirect url for mobile is different.

ADFS server: Windows Server 2012 R2 

Want to register a new callback url as my-aps://auth.com... instead of https://..

However, I'm not able to register redirect/callback url not https format.

Is it possible to provide a different redirect url for mobile?

if yes, how?

Thanks,

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>