Issues demoting 2012 R2 DC - transferring roles

April 5, 2016, 6:45 am

≪ Previous: Use schema extensions of Exchange 2013 to get more attributes for users

I have a Server 2012 R2 machine I want to demote transferring all roles to another DC in the domain but am having some difficulties transferring the roles.

In Server manager the AD DS section has a warning, 'Configuration required for Active Directory Domain Services at <VM name>
Clicking More... gives a Post-deployment Configuration action of 'Promote this server to a domain controller'

When trying to remove ADDS Role:
The Active Directory domain controller needs to be demoted before the AD DS role can be removed.

Used AD DS Services Configuration wizard to demote. Fails with:
Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=main,DC=eas2012,DC=local to Active Directory Domain Controller <FQDN here>.

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

I found event ID 2022 in the Directory Service event log which says: The operations master roles held by this directory server could not transfer to the following remote directory server ... This is preventing removal of the directory server.

I tried following instructions from http://www.itnotes.eu/?p=246 to manually transfer operations master roles but got:
Move-ADDriectoryServerOperationMasterRole : The directory service is unavailable

↧

ad lds not on DC

April 6, 2016, 12:27 am

≫ Next: Which takes precedence - fine grained policy vs. password never expires

≪ Previous: Issues demoting 2012 R2 DC - transferring roles

Hi everyone,

I've installed AD LDS role on windows 2008 server not DC, i'd create an instance but I believe that something wrong.

when i tried to configure my addressbook on thunderbird, I can't find any user on my LDAP.

Someone can help me?

Thanks

↧

Which takes precedence - fine grained policy vs. password never expires

April 6, 2016, 7:41 am

≫ Next: Local user in Active directory

≪ Previous: ad lds not on DC

We have a fine grained policy attached to user objects that sets maximum password expiration date. What hapeens when password never expires is also checked for the user? Which takes precedence?

↧

Local user in Active directory

April 3, 2016, 1:56 am

≫ Next: Hotfix 2830145 is taking too long to install - More than 72 hours?

≪ Previous: Which takes precedence - fine grained policy vs. password never expires

Good day ,

I have GPO apply in our domain , the users can't install but in the past they can use UBS port , two days ago I saw that one new local user is created by Administrator Rights what I did first I disabled USB port but yesterday I saw that again they create again the local user .
One remarque they have one folder shared in network for using some application may be they put their .bat file to generate local user by Administrator Rights
please can you help me to know how this user is created ?

Many Thnaks

Regards

↧

Hotfix 2830145 is taking too long to install - More than 72 hours?

April 6, 2016, 7:22 am

≫ Next: Issue updating schema

≪ Previous: Local user in Active directory

I´m trying to install the 2830145 Hotfix, but after more than 6 hours, i´ve cancelled the isntallation.

IN Technet forums, people said that took 48 HOURS to install and MS support told that could take more than 72 HOURS!!!

There is a workaround regarding this problem?

WIn2008R2, authenticating on WIN2012R2

InWin2008R2

>PsGetsid.exe S-1-18-1
Error querying SID:
No mapping between account names and security IDs was done.

>PsGetsid.exe S-1-18-2
Error querying SID:
No mapping between account names and security IDs was done.

InWin2012R2 works fine!

>psGetsid.exe S-1-18-1
Account for BRDC1-SRV0109\S-1-18-1:
Well Known Group: \Authentication authority asserted identity

>psGetsid.exe S-1-18-2
Account for BRDC1-SRV0109\S-1-18-2:
Well Known Group: \Service asserted identity

Source:

http://stackoverflow.com/questions/17027781/userprincipals-getauthorizationgroups-an-error-1301-occurred-while-enumerating

↧

Issue updating schema

February 25, 2015, 4:21 am

≫ Next: Getting an Error When Running Server 2012 R2 adprep /forest prep on a 2012 DC

≪ Previous: Hotfix 2830145 is taking too long to install - More than 72 hours?

I am having an issue extending the forest portion of the schema from Windows 2012 to Windows 2012 R2. The schema seems to be extended but we get a strange error at the end of the process. We cannot extend the domain schema due to this issue.

On the schema master I load the Server 2012 R2 dvd, navigate to the support\adprep folder in DOS and type

Adprep /forestprep.

The command prompt finishes with the following error messages

Adprep encountered an LDAP error.

Error code: 0x13. Server extended error code: 0x20b1, Server error message: 000020B1: AtrErr: DSID-030F112A, #1:

0: 000020B1: DSID-030F112A, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9086f (msDS-ClaimIsValueSpaceRestricted)

DSID Info:

DSID: 0x181112dd

ldap error = 0x13

NT BUILD: 9600

NT BUILD: 16384

I’ve seen nothing like this on the Internet that has been able to assist me. The the account I'm using is a member of the schema admin, user account control is allowing commands to run as administrator, and we are running this on the SCHEMA MASTER fsmo role holder. I appreciate your comments.

↧

Getting an Error When Running Server 2012 R2 adprep /forest prep on a 2012 DC

April 5, 2014, 8:03 am

≫ Next: WID fals to setup 29511 - ADFS on Read-Only Domain Controller (RODC) and Proxy

≪ Previous: Issue updating schema

I am getting an error when running adprep /forest prep on a Server 2012 domain controller. The main parts of my domain are as follows:

2 - Domain Controllers running Server 2012

1 - Exchange Server 2013 running on Server 2012

I am trying to either do an in-place upgrade to my domain controllers to Server 2012 R2 or even introduce a Server 2012 R2 domain controller into the domain. The error I am getting is as follows:

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_search_s() finished, return code is 0x20
[2014/04/05:09:12:38.873]
Adprep verified the state of operation cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_modify_s() finished, return code is 0x13
[2014/04/05:09:12:38.905]
Adprep was unable to modify some attributes on object CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.
[2014/04/05:09:12:38.936]
Adprep encountered an LDAP error.

Error code: 0x13. Server extended error code: 0x20b1, Server error message: 000020B1: AtrErr: DSID-030F112A, #1:
0: 000020B1: DSID-030F112A, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9086f (msDS-ClaimIsValueSpaceRestricted)

DSID Info:
DSID: 0x181112dd
ldap error = 0x13
NT BUILD: 9600
NT BUILD: 16384

[2014/04/05:09:12:38.967]
Adprep was unable to update forest information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

[User Action]

Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.

Any Help would be appreciated. Thanks!

↧

WID fals to setup 29511 - ADFS on Read-Only Domain Controller (RODC) and Proxy

April 8, 2016, 3:30 am

≫ Next: Repadmin check sshows replication error 58 even after metadata

≪ Previous: Getting an Error When Running Server 2012 R2 adprep /forest prep on a 2012 DC

I am looking at setting up ADFS 2.0 on a RODC and ADFS Proxy on a server off the domain in the DMZ

Only allowing HTTPS traffic from the Proxy to the RODC on the LAN

I have installed ADFS 2.0 on the RODC when going to configure ADFS i get the following error on installing the WIndows Internal Database

An error occured during an attempt to perform the configuration task: WID Installation failed.

So i checked event viewer and i see this entry:

Product: Windows Internal Database -- Error 29511. Failure creating local group SQLServer2005MSFTEUser$XXX-RODC-01$MICROSOFT##SSEE.

it seems as though an account needs to be created but as this is a RODC it fails.

How can i get round this? I think i need to create the account on another DC and let it replicate, but i created a Security Group with that name on another DC, it replicated, i tried again but still got the same error.

Any help would be apprecaited

↧

Repadmin check sshows replication error 58 even after metadata

February 29, 2016, 6:59 am

≫ Next: Trying to setup a farm in a child AD domain but fails with "Insufficient privilege" error

≪ Previous: WID fals to setup 29511 - ADFS on Read-Only Domain Controller (RODC) and Proxy

Hi all,

We have isolated one DC from parent and child domain each to testing purpose

ABC-P = Parent DC

xyz-C = child DC

I did metadata cleanup on both the DCs and after that i ran repadmin /replsum

and in ABC-P i am getting the correct results but in xyz-C i get the error

Experienced the following operational errors trying to retrieve replication information - 58 (Parent DCs) name

I need to know how to proceed further.

Hint - from parent DC i am able to ping both the ipaddress and host of child dc but

Child DC - only ipaddress of parent is getting pinged and if we pinged with host name gives error - Could not find the host

and one more information - when doing metadata from child DC using the ntdsutil, and select parent domain and parent site and list server in site - it shows all the parent dcs which i removed by metadata clean up from parent

Please advise

Aamir

↧

Trying to setup a farm in a child AD domain but fails with "Insufficient privilege" error

April 8, 2016, 12:55 pm

≫ Next: LDIFDE SCHEMA ACL

≪ Previous: Repadmin check sshows replication error 58 even after metadata

We are trying to install and configure ADFS farms in different AD sites (which each one is a child domain of a main site). I've done installation and configuration of ADFS time and time but this is my first time facing this problem.

I've installed the ADFS on 2012 R2 successfully then start the configuration and did get this error:

You do not have sufficient privileges to create a container in Active Directory at location CN=xxxxxxxxxxxxxxxxxxx,CN=ADFS,CN=Microsoft,CN=Program Data,DC=Sub1,DC=Domain,DC=com for use with sharing certificates. Verify that you are logged on as a Domain Admin or have sufficient privileges to create this container, and try again.

I've checked in the internet and some people suggested to recreate the Program Data container, which I did. but still getting the same error.

I'm 100% sure my user has the highest admin privileges!!

P.S: I have created a service account manually since the AD doesn't have thegMSA yet!

Any thoughts would be greatly appreciated!

Ali

↧

LDIFDE SCHEMA ACL

April 7, 2016, 11:50 pm

≫ Next: Bitlocker - AD Schema Extension 2012

≪ Previous: Trying to setup a farm in a child AD domain but fails with "Insufficient privilege" error

Hi everyone,

First sorry for my bad English, i am French

I succesfully use ldifde to add some class and attributes to my schema on a AD (2012 r2 forest level)
But i wanted to add my class and attributes with the rights acl, so ...

What is the syntax to add acls with ldifde at the same time you add the class or attributes ??

Thanks !!

↧

Bitlocker - AD Schema Extension 2012

April 6, 2016, 3:46 pm

≫ Next: Active Directory

≪ Previous: LDIFDE SCHEMA ACL

I have attempted to apply the schema extensions referenced in (https://technet.microsoft.com/en-us/library/jj635854.aspx) to support TPM backup of 2012R2/8.1 Clients to Active Directory in our 2 domain AD Forest made up of 2008 and 2008 R2 DC's (ie domain1.domain.com and domain2.domain.com). The result is that in domain1 the changes have taken affect and TPM backups are working, but in domain2 it does not appear to be the case since the 'TPM Devices' container is not created and I'm unable to activate the TPM on clients in domain2.

I used the sample command provide (ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf-c "DC=X" "DC=domain1,dc=domain,dc=com" -k -j .) on the schema master without a problem. When I try the command (ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf-c"DC=X" "DC=domain2,dc=domain,dc=com" -k -j .) I get the error below:

Connecting to "DC1.domain1.domain.com"
Logging in as current user using SSPI
Importing directory from file "TPMSchemaExtension.ldf"
Loading entries
1: CN=ms-TPM-Srk-Pub-Thumbprint,CN=Schema,CN=Configuration,DC=domain2,dc=domain,dc=com

Add error on entry starting on line 31: Referral
The server side error is: 0x202b A referral was returned from the server.
The extended server error is:
0000202B: RefErr: DSID-031006BB, data 0, 1 access points
ref 1: 'domain2.domain.com'

0 entries modified successfully.
An error has occurred in the program.

_____________________________________

I'm running the above command on the Schema Master which is in Domain1.

Any help would be appreciated.

↧

Active Directory

April 9, 2016, 5:16 am

≫ Next: Unable to login with AD-account created with client-software

≪ Previous: Bitlocker - AD Schema Extension 2012

I have 2 sites Mumbai and Banglore

Mumbai Primary and Banglore DR Site.

We are planning DR Drill

IF MUM SITE GOES DOWN ALONG WITH DC AND DNS how will client connect to DR SIte and authnetnticate.

WIll the Users will be able to log in to DR DC and how ??

will heir data will replicate to Primary DC when Site Comes up.

Do we need to transfer FSMO on DR Site for Authentication

* IF MUMBAI DC ALONG WITH DNS SERVER ARE DOWN THEN WILL USER WILL BE AUTHENTICATE to BL DR DC? IF YES THEN HOW ..
BECAUSE ALL AD ALONG WITH DNS WILL BE DOWN.

* WILL THE USER BE ABLE TO LOG IN IF THEIR MACHINES PRIMARY AND SECONDARY DNS ARE OF MUMMAI DC.

* IF USER ARE WORKING ON THE DR DC WILL THEIR DATA WILL BE REPLICATED TO THE MUMBAI DC IF THE MUMBAI SITE COMES UP.

* DO WE NEED TO TRANSFER FSMO DR SITE ?

We want user to be redirected to the DR site to access application URL connecing to DR Site while Primary DC will be down along with DNS Server.

WE have created A record for Application URL to point to DR Site.

↧

Unable to login with AD-account created with client-software

April 6, 2016, 5:02 am

≫ Next: Branch Office - Demoting DC, Installing Another...

≪ Previous: Active Directory

I created new AD-Account with a client. Client sets user password to attribute unicodePwd and userAccountControl to active state.

But I'm not able login with newly created account. I think it might be related to how password has been stored to AD and this is because when I change password with AD native tool to something else then I can login.
So client must store password to AD in a wrong way. What do you think?

Here are some algorithms that I can choose from how I want to store password and I can also choose wherever I want to use salting or not:

AES
SHA-256
SHA-384
SHA-512
SHA-1
MD5

↧

Branch Office - Demoting DC, Installing Another...

April 9, 2016, 2:02 pm

≫ Next: how to Promote Additional Domain Controller when DC is not available.

≪ Previous: Unable to login with AD-account created with client-software

Hello,

I have a few locations that have physical DCs (all 2012R2). I have a need for virtual domain controllers. The existing DCs have a business function that isn't AD related and that has to stay on the machine. My plan is:

Stand up another DC at the same office and install AD services
Let replication go for a day or two to make sure it is sound
Check that the new DC can authenticate clients.
Demote the old DC from AD services and let that change replicate for a day or two.
Once confident that AD services no longer see the old machine as a domain controller, virtualize that machine onto the host at the office.

I guess my main question is of I establish a new domain controller at this site with a different host name and IP, will that have any adverse effects on the client PC's even once I let everything replicate before demoting the old one at the site? The old DC will be P2V'd after the AD services are taken away due to it still serving a function outside of AD. This old demoted machine will still need to have the same host name it's always had. Any thoughts, comments or advice appreciated. I would like to avoid having to play musical chairs with IP addresses and would rather convert the office to a new virtual DC with a new IP address.

Thanks,

↧

how to Promote Additional Domain Controller when DC is not available.

April 22, 2012, 11:32 pm

≫ Next: Some computers in my network don't see Active Directory

≪ Previous: Branch Office - Demoting DC, Installing Another...

Hi..

Our DC is went down, and there is no option of brining it online. Can some one help me out in promoting my ADC to Domain Controller. Thanks in Advance.

↧

Some computers in my network don't see Active Directory

April 10, 2016, 5:35 am

≫ Next: Restore-DfsrPreservedFiles need examples that REALLY work!

≪ Previous: how to Promote Additional Domain Controller when DC is not available.

Hello everyone,

If somebody can help me with my problem I will be very glad for any piece of advice.

Some computers in my network don't see Active Directory. All computers in my company get ip address from DHCP. I have configured - DHCP Reservations. If I set for a computer a static DNS address (which is the IP of my router), it mirrors the IP that would be given by DHCP. When I change DNS, then change the status of my network card from "Network Connected" to my domain.com., in the end everything works correctly.

My environment: the router is a Virtual Machine (Linux) with DNS role, DHCP, firewall. In the configuration the DNS has a special SRV records with redirection to Active Directory. The environment functions in such configuration for over 4 years.

Domain Controllers: We have three Domain Controllers: AD (Windows Server 2012), AD2 (Windows Server 2012), AD3 (RODC, Windows Server 2012). Additionally we have AD1 which is a dead record of not existing VM (it was deleted but not unistalled). Forest and domain are on Windows Server 2008 R2 level.

I run dcdiag on AD and AD2, there popped up a message that „The host ...._msdcs.DOMAIN.COM could not be resolved to an IP address”. In the networg settings i changed DNS1 from router IP to the address of IP controller and the DC diag was done with some errors. The users in AD and AD2 replicate.

Best Regards,

Pawel

↧

Restore-DfsrPreservedFiles need examples that REALLY work!

April 10, 2016, 7:47 am

≫ Next: How to find Computers with Trust relationship

≪ Previous: Some computers in my network don't see Active Directory

I want to cleanup the data in pre-existing on a 2012 R2 system. All of the examples offer only simplistic & untested suggestions that are not viable in the real world.

What good is the command when the path-too-long issue prevents it from being useable?

Then we run into the "work arounds" that do not work due to security issues related to System Volume Information.

Some of the forum questions have been answered with "this has been discussed already" - unacceptable as no solution that works has been given!

My pathing on a 2012R2 server is long with all the guid elements involved. None of the examples are done on systems where this is the case.

E:\System Volume Information\DFSR\Private\{659C6A3C-4778-4235-BCDB-AAA3BAC364A2}-{1893B7FD-0EA0-45FB-9EB0-168D8AC78B68}\

Can I get some proper instruction on how to solve this problem that really work?

↧

How to find Computers with Trust relationship

April 7, 2016, 10:52 pm

≫ Next: windoes server 2008 r2 going to blue screen 0x0000007B

≪ Previous: Restore-DfsrPreservedFiles need examples that REALLY work!

Hi,

I work in an Organization where there are over 10000 PCs in the domain. These PCs are spread over a 1000 different locations.

The problem I am facing is that many of these PC's are having Trust relationship issues but I dont have a list of PC's which are having this issue. The users are able to login to the domain account in these PC's and Group policies also seem to work in many of these PC's .

We have a Technical Support team. If I were to give them the list of machines having Trust Relationship then they could go and remove the machines from Domain and rejoin the machine to Domain. But the problem is I don't have such a list. Is there any way to get a list (maybe a script) of all the machines in the domain that are having trust relationship issues. Since the number of machines in the organization is very large so trying to find out manually is out of the question.

I think 5% to 10 % of PC's are having this issue. Also is there a way to repair trust relationship in PC centrally instead of sending Technical Support to each office to repair individual PC's.

↧

windoes server 2008 r2 going to blue screen 0x0000007B

April 11, 2016, 3:43 am

≫ Next: transition from server 2008R2 to 2012R

≪ Previous: How to find Computers with Trust relationship

This is windows server 2008 R2 a VM on vmware hyper visor esxi 5.0 VM version 8.0

This machine has three disks and running exchange 2010.

I was in the process of uninstalling acronis and a reboot gave me blue screen 0x0000007B

I have tried to run in last know good configuration, safe mode, safe mode with networking, recovery console, chkdsk /f in recovery console, fixmbr, fixboot etc. but nothing works and it still shows above BSOD error code.

Any help is much appreciated.

TIA

Rajeev

Rajeev Sharma CCNA, MCSE, VCP4 http://www.gotzu.com

↧