Error when attempting to change password: "The security database on the server does not have a computer account for this workstation trust relationship."

April 21, 2016, 5:58 am

≫ Next: Does "Net Time" synchronize remote PCs to millisecond accuracy?

≪ Previous: Problems removing remnants of an old Domain Controller

The error message I'm seeing is "The security database on the server does not have a computer account for this workstation trust relationship." There's nothing wrong with the trust relationship and I have removed a computer from the domain, deleted the AD account, and re-added it to the domain successfully and I still get the same message but only when I am trying to change my password. Below are all the things I have tried unsuccessfully:

Removed the computer account from the domain, deleted the account, and re-added the computer to the domain.
Tested with domain admin account.
Tried changing my password logged in directly into a domain controller.
Issue occurs both on manual password change or forced password change.
Copied existing account and tried changing the password.
Created brand new (not copied) account in AD and tried changing the password.
Tried resetting password on multiple computers.
Removing Windows updates mentioned online that may cause this issue.

The only things that have worked are:

Changing a local user account's password.
Changing a domain account password via AD Users and Computers.

Our workstations are Windows 7 SP1 and our servers are Windows 2008 R2 SP1.

Christopher

↧

Does "Net Time" synchronize remote PCs to millisecond accuracy?

February 23, 2010, 11:25 am

≫ Next: Error when trying to add a user entry to Active Directory via LDAP interface

≪ Previous: Error when attempting to change password: "The security database on the server does not have a computer account for this workstation trust relationship."

I really appreciate the article here
http://blogs.msdn.com/w32time/archive/2009/08/07/net-time-and-w32time.aspx

One thing I don't seem to see people asking or this article addressing is the accuracy of the synchronization among the remote PCs using the "Net Time" command. What I mean is that if I want the 2 remote PCs' clocks to be synchronized down to milliseconds, would this "Net Time" command do it? Does the "Net Time" command already take care of the transmission, dispersion time, and or other communication time and so on? I only care about the relative time (NOT absolute time) of the 2 remote computers.

For example, I need the system clocks of the 2 remote PCs (in the same room connecting through intranet, NOT internet) to be in sync with each other within 10ms. I have no problem creating a script to issue "Net Time \\xxxxxxx /set /yes" periodically as long as this command can set the 2 remote PCs' clocks to be closed to within 10 milliseconds.

Please advise or comment.

↧

Error when trying to add a user entry to Active Directory via LDAP interface

April 28, 2011, 12:04 pm

≫ Next: 250 account suddenly locked out

≪ Previous: Does "Net Time" synchronize remote PCs to millisecond accuracy?

I'm attempting to add a user entry to an Active Directory server here via the LDAP interface from a Linux host using OpenLDAP tools (ldapadd or ldapmodify). Here's a bare-bones example of what I'm trying to add to Active Directory:

DN: CN=John Smith,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu
objectClass: user
CN: John Smith
sn: John
givenName: Smith
displayName: John Smith
sAMAccountName: jsmith
userPrincipalName: jsmith@ad.cs.wisc.edu
altSecurityIdentities: Kerberos:jsmith@CS.WISC.EDU

The Active Directory domain is "ad.cs.wisc.edu" in this case. I am binding to Active Directory via LDAP+SSL (port 636) as user Administrator. I can successfully bind to Active Directory and search for entries, but adding errors produces the following error:

ldapadd -x -H ldaps://bunyan.ad.cs.wisc.edu -D "CN=Administrator,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu" -w ADMINISTRATOR_PW -f /tmp/jsmith.ldif -v
ldap_initialize( ldaps://bunyan.ad.cs.wisc.edu )
add objectClass:
        user
add CN:
        John Smith
add sn:
        John
add givenName:
        Smith
add displayName:
        John Smith
add sAMAccountName:
        jsmith
add userPrincipalName:
        jsmith@ad.cs.wisc.edu
adding new entry "CN=John Smith,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu"
modify complete
ldapadd: No such attribute (16)
        additional info: 00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data 0, v1db1

The "additional info" is logged on event log on the Active Directory server as well as being returned when trying to run ldapadd.

Any suggestions from Active Directory gurus out there? Am I missing some required fields as demanded by AD schema, or is this a permission issue?

John

↧

250 account suddenly locked out

April 30, 2016, 6:10 am

≫ Next: Windows Server 2003 DNS issue (noob user here)

≪ Previous: Error when trying to add a user entry to Active Directory via LDAP interface

we noticed suddenly email notification alert for 250 accounts locked , when checked we in AD security logs we found "Caller Computer Name: xxx" from external trying to get access to 'n' number of users account , nearly 250 users mailbox.

When we check IIS logs & firewall , we found public IP from different country keep on trying to access (might be using Brute force attack)

the question is , how do we know the following:

1- whether the attacker success in compromising any user account / mailbox ?????

2- why users getting locked out when attacker trying to target the /esw/exchange.asmx ? how to identify the users targeted?can some one provide more clarification on the below log?

2016-04-30 11:53:47 x.x.x.x POST /ews/exchange.asmx &CorrelationID=<empty>;&ClientId=VLVBJTAU0XYQPT9ZEYBW&cafeReqId=97fa2345-a7d4-4adc-8cf5-276a201cdb25; 443 - x.x.x.xExchangeServicesClient/15.00.0913.015 - 401 1 2148074252 7 x.x.x.x

3- once account starting locking out, we used to block the source IP from the firewall. will you please advice if there is any other solution??

Your support is highly appreciated in this matter.

↧

Windows Server 2003 DNS issue (noob user here)

April 30, 2016, 10:29 am

≫ Next: LDAPS Can Connect Using SSL 636 But Not Bind

≪ Previous: 250 account suddenly locked out

Hi, good day to the community.

Ill just right to the point. This home business server has been set up previously and has been running for years already. But recent issues have arise to its DNS services. Before I came across the issue in the servers event viewer itself, I had to join a newly built PC to the home domain. But unfortunately, upon many network troubleshooting and client PC troubleshooting, I had zero advancements. So then I had to look up if there were any issues with the server itself and BOOM, the DNS services had some difficulties starting up. Along with DHCP but im not too sure if that ever can be related to the DNS issue. Im thinking the easy option is to delete and create a new DNS Server under the DNS Management tool. And if that is a viable solution, how do i go about setting up the appropriate settings?

I am open to other options too. Any ideas amd help is greatly appreciated.

↧

LDAPS Can Connect Using SSL 636 But Not Bind

May 1, 2016, 4:51 am

≫ Next: "mmc has detected an error in a snap-in" error during "Raising Forest Functional Level"

≪ Previous: Windows Server 2003 DNS issue (noob user here)

Hi Everyone,

I am trying to configure LDAPS on Server 2012 R2 to allow an ERP application and our SonicWALL firewall to authenticate via LDAPS using a third party certificate from GoDaddy. I used a GoDaddy Standard SSL Multi Site certificate available from https://au.godaddy.com/pro/ssl-encryption.

I following this guide https://support.microsoft.com/en-us/kb/321051 as referenced within this forum.

My domain is contoso.local so I had to create a new DNS forward lookup zone contoso.com.au with (A) records for my four domain controllers pointing to their internal IP's.

dc1.contoso.com (192.168.1.1)
dc2.contoso.com (192.168.2.1)
dc3.contoso.com (192.168.3.1)
dc4.contoso.com (192.168.4.1)

I used the standard request.inf template referenced in the document to create the certificate request, however, because I have multiple domain controllers I added [Extensions] and used the text format as my environment is server 2008+.

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=dc1.contoso.com" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "dns=dc2.contoso.com&"
_continue_ = "dns=dc3.contoso.com&"
_continue_ = "dns=dc4.contoso.com&"

;-----------------------------------------------

I have been able to create the certificate, complete the request, export it from the local machine personal store (with the private key) into the AD FS personal store. I also had to import the Go Daddy intermediate certificate into the local machine intermediate certificate authority. Despite the MS articles advising the certificate would replicate it didn't and I had to import both certificates into each DC manually (their is a post from a MS MVP from 2014 advising this is expected behavior so nothing to worry about).

Using ldp.exe I can successfully connect using SSL on port 636 to each DC using its FQDN i.e.

dc1.contoso.com (192.168.1.1)
dc2.contoso.com (192.168.2.1)
dc3.contoso.com (192.168.3.1)
dc4.contoso.com (192.168.4.1)

However, once connected I can't bind to the directory. When I try Bind as currently logged on user (administrator in my case) I get the following error.

-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <81>: ldap_bind_s() failed: Server Down.
Server error: 8009030C: LdapErr: DSID-0C0904FB, comment: AcceptSecurityContext error, data 52e, v23f0
Error 0x8009030C The logon attempt failed
-----------

The documentation states once LDAPS is connected I can use any account to authenticate. As the administrator wasn't working I tried a standard user accountSWLDAP using Bind with credentials. Both the user account and display name are the same SWLDAP and the password is only 8 chars (letters and numbers only) as I know some special chars upset ldap. I also added the account to the domain admins group just for testing. I tried the following permutations and all fail with the same error.

U. SWLDAP
D. contoso.local

U. SWLDAP
D. contoso.com

U. SWLDAP@ss.local
D. contoso.local

U. SWLDAP@ss.local
D. contoso.com

U. "CN=SWLDAP,OU=Service Accounts,OU=ContosoPL,DC=contoso,DC=local"
D. contoso.local

U. "CN=SWLDAP,OU=Service Accounts,OU=ContosoPL,DC=contoso,DC=local"
D. contoso.com

I have also tried all the above without a domain and with the domain set to the actual server name I.e. dc1. I used dsquery user -name to obtain the DN for the user and copied/pasted it so I know it's 100% spot on.

The surprising thing is a simple bind works using just the user account name SWLDAP and it's 8 char password, so it looks to me like the domain is causing the problem, possibly because the certificate is for contoso.com but the bind is to contoso.local???

I enabled verbose logging by setting 16 LDAP Interface Events to5 at registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

I see a lot of event ID's 1138 and 1139 (almost every second) from Computer: dc1 and users

contoso\exch$ (mostly from this user)
System (occasional from this user)

Event ID: 1138

Internal event: Function ldap_search entered.
SID: xxxxxxxxxxxxxxxxxxxxxxxx (SID redacted)
Source IP: 192.168.1.1:50736
Operation identifier: 3734
Data1:
Data2: 16452115
Data3: %7
Data8: %7

Event ID: 1139

Internal event: Function ldap_search exited.
SID: S-1-5-21-2347077188-781433227-3717360388-1104
Source IP: 192.168.1.2:50736 (exchange server)
Operation Identifier: 3734
Data1: 17131592
Data2: 17131592
Data3: %8

I also see event ID: 1535 generated by Computer: DC1 and users

System,
contoso\exch$,
contoso\dc2$,
contoso\dc3$,
contoso\dc4$

But never by user contoso\dc1$?

Internal event: The LDAP server returned an error.

Additional Data
Error value:
0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local'

I also see event ID: 6037 in the System log every 2.5hrs from computer dc1.contoso.local and user N/A. Not sure if this is related?

The program lsass.exe, with the assigned process ID 648, could not authenticate locally by using the target name ldap/dc1.contoso.com. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

Try a different target name.

I have spent the entire weekend trying to work this one out and it has me stumped so any advice would be greatly appreciated.

Kind Regards,

Chiper

↧

"mmc has detected an error in a snap-in" error during "Raising Forest Functional Level"

May 1, 2016, 5:49 am

≫ Next: Demote server 2003 R2

≪ Previous: LDAPS Can Connect Using SSL 636 But Not Bind

Hi Everyone,

Just wanted to ask steps and procedure on how fix the error i got during raising the forest functional level.

I have a DC running on Windows Server 2003 Std. 86x with Service Pack 2 installed. I have a new server which i wish to migrate new roles to Windows Server 2012 Std. Issue is i am unable to proceed on promoting the new server into DC because of this error snap-in on my old DC.

Can someone show me a link or the steps on how to deal with his error on my old server?

Many Thanks

Jigcy

↧

Demote server 2003 R2

April 26, 2016, 9:10 pm

≫ Next: Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

≪ Previous: "mmc has detected an error in a snap-in" error during "Raising Forest Functional Level"

Hi Guys,

Im in the process of demoting server 2003 already migrated dhcp role to 2012 DC and FSMO roles transferred to server 2008 R2.

Do I need to uninstall DNS before I demote 2003 box or can I do that after ?

My DNS is active directory integrated.

↧

Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

May 1, 2016, 8:26 pm

≫ Next: Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

≪ Previous: Demote server 2003 R2

Brief Overview

Parent domain: googtech.com
Subnet 192.168.10.0/24

Domain Controllers:

dc01.googtech.com (192.168.10.5)
dc02.googtech.com (192.168.10.8) - currently holds all FSMOs

Primary DNS Server - DC01 (192.168.10.5)

Secondary DNS Server - DC02 (192.168.10.8)

-----------------------------------------------------------------------------

Child domain: vlab.googtech.com
Subnet 192.168.20.0/24

Child domain controller

dc03.vlab.googtech.com (192.168.20.5) - (fsmo , RID Master, Infrastructure Master & PDC Emulator)

Primary DNS Server - DC01 (192.168.10.5)

Secondary DNS Server - DC02 (192.168.10.8)

All DCs are 2012R2.

Forest Functional Level is 200R2

-----------------------------------------------------------------------------------------------------------------------------------------

DCDIAG BELOW

C:\Users\xhamsemohamed>dcdiag /q
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC01 failed test DFSREvent
A warning event occurred. EventID: 0x8000051C
Time Generated: 05/02/2016 02:42:19
Event String:
The Knowledge Consistency Checker (KCC) has detected that successive
attempts to replicate with the following directory service has consistently fai
led.
A warning event occurred. EventID: 0x8000061E
Time Generated: 05/02/2016 02:42:19
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 05/02/2016 02:42:19
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x8000061E
Time Generated: 05/02/2016 02:42:19
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 05/02/2016 02:42:19
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
......................... DC01 failed test KccEvent
[DC01] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC01 failed test NetLogons
[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
Naming Context: DC=ForestDnsZones,DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:53.
The last success occurred at 2016-05-01 23:52:49.
1 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
Naming Context: DC=DomainDnsZones,DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:53.
The last success occurred at 2016-05-01 23:52:49.
1 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
Naming Context: CN=Schema,CN=Configuration,DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:52.
The last success occurred at 2016-05-01 23:52:49.
1 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC03 to DC01
Naming Context: CN=Schema,CN=Configuration,DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:54.
The last success occurred at 2016-04-09 18:08:12.
29 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
Naming Context: CN=Configuration,DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:52.
The last success occurred at 2016-05-01 23:59:23.
1 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC03 to DC01
Naming Context: CN=Configuration,DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:54.
The last success occurred at 2016-04-09 18:08:10.
30 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
Naming Context: DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:53.
The last success occurred at 2016-05-02 00:02:53.
1 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC03 to DC01
Naming Context: DC=vlab,DC=googtech,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

The failure occurred at 2016-05-02 00:07:49.
The last success occurred at 2016-04-09 18:08:14.
22 failures have occurred since the last success.
[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
Naming Context: DC=vlab,DC=googtech,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2016-05-02 01:52:53.
The last success occurred at 2016-05-01 23:52:49.
1 failures have occurred since the last success.
......................... DC01 failed test Replications
The DS has corrupt data: rIDPreviousAllocationPool value is not valid
......................... DC01 failed test RidManager
Could not open NTDS Service on DC01, error 0x5 "Access is denied."
......................... DC01 failed test Services
An error event occurred. EventID: 0x80001778
Time Generated: 05/02/2016 01:52:13
Event String:
The previous system shutdown at 00:19:42 on 02/05/2016 was unexpecte
d.
An error event occurred. EventID: 0x0000166D
Time Generated: 05/02/2016 01:52:39
Event String:
Netlogon could not register the GOOGTECH<1B> name for the following
reason:
An error event occurred. EventID: 0x00000C19
Time Generated: 05/02/2016 01:52:39
Event String:
This computer is configured to be the primary domain controller of i
ts domain. However, the computer DC02 is currently claiming to be the primary do
main controller of the domain.
An error event occurred. EventID: 0x00000029
Time Generated: 05/02/2016 01:51:31
Event String:
The system has rebooted without cleanly shutting down first. This er
ror could be caused if the system stopped responding, crashed, or lost power une
xpectedly.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 01:52:39
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 01:52:40
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0x0000410B
Time Generated: 05/02/2016 01:52:49
Event String:
The request for a new account-identifier pool failed. The operation
will be retried until the request succeeds. The error is
An error event occurred. EventID: 0x0000168E
Time Generated: 05/02/2016 01:52:52
Event String:
The dynamic registration of the DNS record 'googtech.com. 600 IN A 1
92.168.10.5' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 05/02/2016 01:52:53
Event String:
The dynamic registration of the DNS record '_ldap._tcp.googtech.com.
600 IN SRV 0 100 389 DC01.googtech.com.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 05/02/2016 01:52:54
Event String:
The dynamic registration of the DNS record '_ldap._tcp.985a4b96-2c34
-4f5a-9f93-44c0bc2e2fb0.domains._msdcs.googtech.com. 600 IN SRV 0 100 389 DC01.g
oogtech.com.' failed on the following DNS server:
An error event occurred. EventID: 0x0000106A
Time Generated: 05/02/2016 01:52:55
Event String:
Unable to update the IP address on Isatap interface isatap.googtech.
com. Update Type: 1. Error Code: 0x490.
An error event occurred. EventID: 0xC0001B70
Time Generated: 05/02/2016 01:53:09
Event String:
The Windows Deployment Services Server service terminated with the f
ollowing service-specific error:
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 01:57:54
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 01:57:56
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 01:57:59
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 01:58:01
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 01:58:03
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:07:56
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:07:58
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:08:01
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:08:03
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:08:05
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:27:58
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:28:00
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:28:03
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:28:05
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 05/02/2016 02:28:07
Event String:
The name "GOOGTECH :1b" could not be registered on the interfa
ce with IP address 192.168.10.5. The computer with the IP address 192.168.10.8 d
id not allow the name to be claimed by this computer.
......................... DC01 failed test SystemLog

C:\Users\xhamsemohamed>

↧

Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

May 1, 2016, 8:34 pm

≫ Next: Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

≪ Previous: Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

-----------------------------------------------------------------------------------------------------------------------------------------

DCDIAG BELOW

DC02 -DCDIAG

C:\Users\xhamsemohamed>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = DC02
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: London\DC02
Starting test: Connectivity
......................... DC02 passed test Connectivity

Doing primary tests

Testing server: London\DC02
Starting test: Advertising
......................... DC02 passed test Advertising
Starting test: FrsEvent
......................... DC02 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC02 failed test DFSREvent
Starting test: SysVolCheck
......................... DC02 passed test SysVolCheck
Starting test: KccEvent
An error event occurred. EventID: 0xC000066D
Time Generated: 05/02/2016 03:26:32
Event String:
Active Directory Domain Services did not perform an authenticated re
mote procedure call (RPC) to another directory server because the desired servic
e principal name (SPN) for the destination directory server is not registered on
the Key Distribution Center (KDC) domain controller that resolves the SPN.
A warning event occurred. EventID: 0x80000785
Time Generated: 05/02/2016 03:26:32
Event String:
The attempt to establish a replication link for the following writab
le directory partition failed.
An error event occurred. EventID: 0xC000066D
Time Generated: 05/02/2016 03:26:32
Event String:
Active Directory Domain Services did not perform an authenticated re
mote procedure call (RPC) to another directory server because the desired servic
e principal name (SPN) for the destination directory server is not registered on
the Key Distribution Center (KDC) domain controller that resolves the SPN.
A warning event occurred. EventID: 0x80000785
Time Generated: 05/02/2016 03:26:32
Event String:
The attempt to establish a replication link for the following writab
le directory partition failed.
An error event occurred. EventID: 0xC000066D
Time Generated: 05/02/2016 03:26:32
Event String:
Active Directory Domain Services did not perform an authenticated re
mote procedure call (RPC) to another directory server because the desired servic
e principal name (SPN) for the destination directory server is not registered on
the Key Distribution Center (KDC) domain controller that resolves the SPN.
A warning event occurred. EventID: 0x80000786
Time Generated: 05/02/2016 03:26:32
Event String:
The attempt to establish a replication link to a read-only directory
partition with the following parameters failed.
......................... DC02 failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC02 passed test MachineAccount
Starting test: NCSecDesc
......................... DC02 passed test NCSecDesc
Starting test: NetLogons
[DC02] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC02 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC02 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC02] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
error 0x2105 "Replication access was denied."
......................... DC02 failed test Replications
Starting test: RidManager
......................... DC02 passed test RidManager
Starting test: Services
Could not open NTDS Service on DC02, error 0x5 "Access is denied."
......................... DC02 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000018
Time Generated: 05/02/2016 02:38:59
Event String:
Time Provider NtpClient: No valid response has been received from do
main controller DC01.googtech.com after 8 attempts to contact it. This domain co
ntroller will be discarded as a time source and NtpClient will attempt to discov
er a new domain controller from which to synchronize. The error was: The peer is
unreachable.
An error event occurred. EventID: 0x40000004
Time Generated: 05/02/2016 03:03:22
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver dc01$. The target name used was cifs/dc01.googtech.com. This indicates that
the target server failed to decrypt the ticket provided by the client. This can
occur when the target server principal name (SPN) is registered on an account o
ther than the account the target service is using. Ensure that the target SPN is
only registered on the account used by the server. This error can also happen i
f the target service account password is different than what is configured on th
e Kerberos Key Distribution Center for that target service. Ensure that the serv
ice on the server and the KDC are both configured to use the same password. If t
he server name is not fully qualified, and the target domain (GOOGTECH.COM) is d
ifferent from the client domain (GOOGTECH.COM), check if there are identically n
amed server accounts in these two domains, or use the fully-qualified name to id
entify the server.
A warning event occurred. EventID: 0x000727A5
Time Generated: 05/02/2016 03:05:27
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x00001796
Time Generated: 05/02/2016 03:06:41
Event String:
Microsoft Windows Server has detected that NTLM authentication is pr
esently being used between clients and this server. This event occurs once per b
oot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0x0000106A
Time Generated: 05/02/2016 03:06:49
Event String:
Unable to update the IP address on Isatap interface isatap.{10B74C24
-4600-47E4-8366-12291BB25C85}. Update Type: 1. Error Code: 0x490.
A warning event occurred. EventID: 0x00002724
Time Generated: 05/02/2016 03:06:51
Event String:
This computer has at least one dynamically assigned IPv6 address.For
reliable DHCPv6 server operation, you should use only static IPv6 addresses.
A warning event occurred. EventID: 0x0000000C
Time Generated: 05/02/2016 03:07:02
Event String:
Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
An error event occurred. EventID: 0x40000004
Time Generated: 05/02/2016 03:11:37
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver dc01$. The target name used was cifs/dc01.googtech.com. This indicates that
the target server failed to decrypt the ticket provided by the client. This can
occur when the target server principal name (SPN) is registered on an account o
ther than the account the target service is using. Ensure that the target SPN is
only registered on the account used by the server. This error can also happen i
f the target service account password is different than what is configured on th
e Kerberos Key Distribution Center for that target service. Ensure that the serv
ice on the server and the KDC are both configured to use the same password. If t
he server name is not fully qualified, and the target domain (GOOGTECH.COM) is d
ifferent from the client domain (GOOGTECH.COM), check if there are identically n
amed server accounts in these two domains, or use the fully-qualified name to id
entify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 05/02/2016 03:12:03
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver dc01$. The target name used was DNS/dc01.googtech.com. This indicates that
the target server failed to decrypt the ticket provided by the client. This can
occur when the target server principal name (SPN) is registered on an account ot
her than the account the target service is using. Ensure that the target SPN is
only registered on the account used by the server. This error can also happen if
the target service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that the servi
ce on the server and the KDC are both configured to use the same password. If th
e server name is not fully qualified, and the target domain (GOOGTECH.COM) is di
fferent from the client domain (GOOGTECH.COM), check if there are identically na
med server accounts in these two domains, or use the fully-qualified name to ide
ntify the server.
An error event occurred. EventID: 0x0000168E
Time Generated: 05/02/2016 03:12:03
Event String:
The dynamic registration of the DNS record '_ldap._tcp.pdc._msdcs.go
ogtech.com. 600 IN SRV 0 100 389 DC02.googtech.com.' failed on the following DNS
server:
......................... DC02 failed test SystemLog
Starting test: VerifyReferences
......................... DC02 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : googtech
Starting test: CheckSDRefDom
......................... googtech passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... googtech passed test CrossRefValidation

Running enterprise tests on : googtech.com
Starting test: LocatorCheck
......................... googtech.com passed test LocatorCheck
Starting test: Intersite
......................... googtech.com passed test Intersite

C:\Users\xhamsemohamed>

-----------------------------------------------------------------------------------------------------------------------------------------

DC03 - DCDIAG

C:\Users\zhamsemohamed>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = DC03
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Paris\DC03
Starting test: Connectivity
......................... DC03 passed test Connectivity

Doing primary tests

Testing server: Paris\DC03
Starting test: Advertising
......................... DC03 passed test Advertising
Starting test: FrsEvent
......................... DC03 passed test FrsEvent
Starting test: DFSREvent
......................... DC03 passed test DFSREvent
Starting test: SysVolCheck
......................... DC03 passed test SysVolCheck
Starting test: KccEvent
......................... DC03 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC03 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC03 passed test MachineAccount
Starting test: NCSecDesc
......................... DC03 passed test NCSecDesc
Starting test: NetLogons
[DC03] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC03 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC03 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC03] A recent replication attempt failed:
From DC01 to DC03
Naming Context: CN=Schema,CN=Configuration,DC=googtech,DC=com
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2016-05-01 18:25:19.
The last success occurred at 2016-05-01 17:03:30.
1 failures have occurred since the last success.
The directory on DC01 is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
[Replications Check,DC03] A recent replication attempt failed:
From DC01 to DC03
Naming Context: CN=Configuration,DC=googtech,DC=com
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2016-05-01 18:25:19.
The last success occurred at 2016-05-01 17:03:30.
1 failures have occurred since the last success.
The directory on DC01 is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
[Replications Check,DC03] A recent replication attempt failed:
From DC01 to DC03
Naming Context: DC=googtech,DC=com
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2016-05-01 18:25:19.
The last success occurred at 2016-05-01 17:03:30.
1 failures have occurred since the last success.
The directory on DC01 is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
......................... DC03 failed test Replications
Starting test: RidManager
......................... DC03 passed test RidManager
Starting test: Services
Could not open NTDS Service on DC03, error 0x5 "Access is denied."
......................... DC03 failed test Services
Starting test: SystemLog
......................... DC03 passed test SystemLog
Starting test: VerifyReferences
......................... DC03 passed test VerifyReferences

Running partition tests on : vlab
Starting test: CheckSDRefDom
......................... vlab passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... vlab passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running enterprise tests on : googtech.com
Starting test: LocatorCheck
......................... googtech.com passed test LocatorCheck
Starting test: Intersite
......................... googtech.com passed test Intersite

C:\Users\zhamsemohamed>

ANY FURTHER LOGS REQUIRED PLEASE LET ME KNOW.

THANK-YOU

↧

Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

May 1, 2016, 8:31 pm

≫ Next: Difficulties to detect USN Rollback?

≪ Previous: Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

-----------------------------------------------------------------------------------------------------------------------------------------

DCDIAG BELOW

DC02 -DCDIAG

-----------------------------------------------------------------------------------------------------------------------------------------

DC03 - DCDIAG

ANY FURTHER LOGS REQUIRED PLEASE LET ME KNOW.

THANK-YOU

↧

Difficulties to detect USN Rollback?

May 1, 2016, 11:44 pm

≫ Next: when i browse to link X i need to be redirected to may adfs link

≪ Previous: Multiple Active Directory issue withe parent and child domain. Assistance required fellow Professionals

Hi all,

One month ago we had a crash on our PDC containing all roles, for info we are running 2 DCs on the Headquarter and there is one more DC on another site. We are running 2012 DCs with 2008 domain and forest functionnal level.

So the day we had the Crash I had only one DC on the headquarter and the second on the other site, with the help of this forum I have "seized" all the role to the second DC after making some control over the replication and so one.

We had no problem since one month, last week my colleague inform me that he has one Workstation saying "The trust Relationship between this Workstation and the primary domain failed". I immediately was thinking of a USN Rollback but why have we this one month later? Other things last week on wednesday the PDC was like freezed, I cannot make a CTRL+ALT+DEL on the VMware Console, but it respond to ping, is it reliable to netlogon service down? But nothing in the "Directory Service" event log.

As I have read on the MS BK 875495, in our situation (2012 DCs and 2008 functionnal level) if we are facing with a USN Rollback it will be viewable in the Event log with Event ID2095, 1113, 1115 2103 right?

I tryed to check with the "repladmin /showutdvec DCNAME" but I don't have understand if I have to launch it on each DC or on the same DC with each "DCNAME" as a parameter.

With this command runned on the same DC it sort me for example :

C:\>repadmin /showutdvec srv-sdc DC=domain,DC=com
Caching GUIDs.
..

GVA\SRV-GVADC                        @ USN    245128 @ Time 2016-05-02 08:09:45
Premier-Site-par-defaut\SRV-DC       @ USN    400550 @ Time 2016-05-02 08:16:16
Premier-Site-par-defaut\SRV-SDC      @ USN   7004562 @ Time 2016-05-02 08:16:46
Premier-Site-par-defaut\SRV-DC1      @ USN    363234 @ Time 2016-05-02 08:16:38

Then for the second DC, runned on SRV-SDC :

C:\>repadmin /showutdvec srv-dc1 DC=domain,DC=com
Caching GUIDs.
..
GVA\SRV-GVADC                        @ USN    245128 @ Time 2016-05-02 08:09:45
Premier-Site-par-defaut\SRV-DC       @ USN    400550 @ Time 2016-05-02 08:16:16
Premier-Site-par-defaut\SRV-SDC      @ USN   7004550 @ Time 2016-05-02 08:15:58
Premier-Site-par-defaut\SRV-DC1      @ USN    363235 @ Time 2016-05-02 08:16:50

Then for the third in the other site :

C:\>repadmin /showutdvec srv-gvadc DC=domain,DC=com
Caching GUIDs.
..

GVA\SRV-GVADC                        @ USN    245170 @ Time 2016-05-02 08:16:53
Premier-Site-par-defaut\SRV-DC       @ USN    400480 @ Time 2016-05-02 08:12:07
Premier-Site-par-defaut\SRV-SDC      @ USN   7004485 @ Time 2016-05-02 08:12:12
Premier-Site-par-defaut\SRV-DC1      @ USN    363127 @ Time 2016-05-02 08:09:18

So guys what do you think? I'm a little bit... lost in this.

Thanks and sincerely.

↧

when i browse to link X i need to be redirected to may adfs link

May 2, 2016, 2:28 am

≫ Next: Replication problem with DC - one way

≪ Previous: Difficulties to detect USN Rollback?

i am upgrading my ADFS to 3.0 and in the stage of shifting to the new setup from 2.0, i had some IIS custom settings to redirect anyone going to xyz.mydomain.com to my adfs services, now i need to duplicate this on the 3.0 - no iis - can anyone please help?

↧

Replication problem with DC - one way

April 26, 2016, 7:51 pm

≫ Next: Domain users unable to change passwords after April 2016 security updates

≪ Previous: when i browse to link X i need to be redirected to may adfs link

Hi All,

I have 2 sites, with 2 DC each. Due to some problems, the servers on site 2 could not replicate with site 1 for a long time. To fix the problem, I demoted the DC on site 2 and promoted again.

Before promoting, I did a metadata cleanup.

Let DC1, DC2 be the DCs in site 1, and DC3,DC4 the DCs in site 2.

Now, DC1 can replicate to DC2, and DC2 can replicate to DC1 (same-site)

Also DC3 can replicate to DC4, and DC4 to DC3 (still same site)

The inter-site replication is the problematic part. The strange thing is that DCs from site 1 can replicate to DCs in site 2, but DCs from site 2 can replicate to DCs from site 1. Before these problem arose, there were no replication issues, so it should not be a network-related problem as network settings have not been changed.

The error I get when i try to replicate in AD sites and services is: "the name context is in the process of being removed or is not replicated from the specified server".

In the event log of DCs of site 1, I get an event 1925 that states an 1722 RPC not available error message. I relised that in the servers in site 1 nearly all DNS SRV entries for the servers in site 2 are missing. I tried restarting netlogon service, but the SRV records for the servers in site 2 are still not present

↧

Domain users unable to change passwords after April 2016 security updates

May 2, 2016, 4:39 pm

≫ Next: Multihomed DC (keep old DC IP alive...but was is another vlan)

≪ Previous: Replication problem with DC - one way

Hi Everyone,

Wondering if anyone else has run into this issue - I really can't find much out there of substance on this so far:

Our users have started to report problems changing their domain passwords when they expire - and this began after the installation of April's updates. Users are all using Windows 7 Enterprise x64, and the domain is still running on Server 2003 (which admittedly needs to be upgraded, and will be shortly).

When the user logs on - and only if their password has expired - the system prompts them to change it as usual. But, regardless of what they enter/confirm (i.e. sufficiently complex, brand new passwords) they get stuck in a loop where the error message given is: "Logon Failure: The specified account password has expired". Thanks Captain Obvious :)

We have confirmed the passwords are not getting updated, as they can continue to login with their old passwords and go through the whole thing over and over again.

We also have complex passwords enabled via GPO.

As a side note, our DCs seem ok, and we can change passwords on the server side via ADUC without issue, and user info seems to be replicated among the DCs at normal speeds.

In the meantime, we have isolated the issue to the following updates on the workstations:

KB3147071

KB3149090

KB3146706

In limited testing, if I remove these updates, then password change functionality goes back to normal.

Has anyone else run into this in their environment, or found a workaround other than uninstalling the updates? Any other input would be appreciated.

Thanks in advance!

↧

Multihomed DC (keep old DC IP alive...but was is another vlan)

April 22, 2016, 6:18 am

≫ Next: To find the AD Schema attribute

≪ Previous: Domain users unable to change passwords after April 2016 security updates

Hi,

First, as usual, sorry for my english.

We have a technical question about multihomed DC. We know that there is no probleme for a domain controller to have 2 different IP on the same network. But in our case old DC(s) were on the same VLAN as other servers and new DC(s) are in a separated VLAN.

The issue is due to application which use name and ip of one old DC...so we need to keep this IP alive.

We would like to add a network cable to a new DC and add the old DC IP on this network card.

Is it possible? I think it is but I am afraid that all ldap connexion from production VLAN will use the old IP because it will be the shorter way (IP on same network).

All topic about multihomed DC I have read speak about DHCP for these VLAN but in our case our network device are configure to transfer DHCP request to the new VLAN.

Please tell me you have the answer to this topic...please help me.

↧

To find the AD Schema attribute

April 21, 2016, 9:32 am

≫ Next: Can I create domain controller on windows Server 2008R2, when my main Domain server is Windows Server 2012R2

≪ Previous: Multihomed DC (keep old DC IP alive...but was is another vlan)

Hello All,

I have script to find the AD schema attribute for the all object

dsquery *"cn=Schema,cn=Configuration,dc=MyDomain,dc=com"-Filter"(objectClass=attributeSchema)"-AttrLDAPDisplayName rangeUpper -Limit0>Report.txt

Can any one help in modifying the script or provide the script to extract object wise such user, computer printer etc

thanks in Advance

Aamir

↧

Can I create domain controller on windows Server 2008R2, when my main Domain server is Windows Server 2012R2

May 1, 2016, 9:59 pm

≫ Next: The security database on the server does not have a computer account for this workstation trust relationship.

≪ Previous: To find the AD Schema attribute

I have a windows server 2012r2 and this is my first domain in the forest. I have another server which is windows server 2008r2 and I installed AD on this server and want to join my domain that is created on windows server 2012r2, but I can't because I am getting DNS error. Can I do this at all, join 2012r2 from 2008r2?

↧

The security database on the server does not have a computer account for this workstation trust relationship.

April 26, 2016, 4:05 am

≫ Next: Advanced audit policy setting

≪ Previous: Can I create domain controller on windows Server 2008R2, when my main Domain server is Windows Server 2012R2

Hi,

we do have an Active Directory on Server 2008 R2. also do have Windows 7, Windows 8, Windows 8.1 and Windows 10 as a client operating system on my domain. Since past 1 month we are facing the issue of 'The security database on the server does not have a computer account for this workstation trust relationship.' while trying to change password of user through client computer.

Previously, we thought the trust relationship has been failed so, so recreated it using 'test-computersecurechannel -repair'. Even after that, we tried to change the user password but same issue is repeating. This issue has been only seen on Windows 8.1 Machine till now. For Windows 7 or Windows 8 same user can easily change their password.

Request for your help on this regard. Error Snapshot is below.

Thank You.

↧

Advanced audit policy setting

May 2, 2016, 11:23 pm

≫ Next: Upgrading from ADDS 2008 32-bit to 2012/2012 R2

≪ Previous: The security database on the server does not have a computer account for this workstation trust relationship.

Dear all,

I want to collect and analyze event for the below Advanced Audit Policy Configuration.

Audit Logoff
Audit Logon
Audit Other Logon/Logoff
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events

May I know where should I define the GPO? Under Default Domain Policy of OU for computers(PC and server)?

do I need collect both Server and PC Event log?

↧