Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows 10 Client PC DNS Issues (Maybe)

June 16, 2016, 10:09 pm
$
0
0

I am running a Essentials 2011 server.

Some of my PCs have upgraded to Windows 10, and since then have been running really slow.

What I have found is that it is taking a very long time to find network names on the LAN.

I attempted to remove a PC from the domain, and re-connect it. But now that PC won't re-connect as it cannot find the Domain.

All the Windows 7 PCs are working fie, I am only having issues with Windows 10 clients.

Looking for suggestions as my searching of the web is not getting an answer for me yet.

Thanks.

Search

Can't download Password Export Server (PES) - X86 from Microsoft Connect

June 18, 2016, 3:52 pm
$
0
0

Hi,

Actually I need urgently download Password Export Server x86 from microsoft connect, but I can't because when I clicked the link, nothing happens and download isn't launch, I had the same problem with PES x64, but now I can download the x64 binaries but not x86.

I tried all web browsers in PC and Smartphone.

Could you help me please?

Thanks so much guys.


Active directory off for several years

June 17, 2016, 2:36 pm
$
0
0

Hello,

The organization is stopped and we would like keep the Administration for 7 years and at request of the authorities they should be consulted it.

What does it take to preparations to the 2 domain controllers and 2 applications servers to work after 7 years power off?

Thanks

error 1216 and 1317

June 19, 2016, 2:43 am
$
0
0

Dear All 

kindly advice i have problem in DC , its showing the errors of 1216 and 1317 , then no one can get DHCP Lease and the server stops responding to the clients. ping able as well. 

Faisal Khan

LDAP authentication

June 19, 2016, 12:01 am
$
0
0

I have 3 child domains and one parent domain. If we create a service account in one child domain, can this service account be used to do LDAP queries in all domains ( parent and child)? What permissions should the service account have?

How to take the backup of .(root) zone ?

June 18, 2016, 10:11 pm
$
0
0

I have more that 30 namespaces are hosted in .(root) zone with 1000 "A" with so many delegations.

How to take the backup of .(root) zone on Windows 2012 R2?

Regards,

Biswajit

MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011

Blog:  Script Gallary:  LinkedIn:  

Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

Certificate service client-Certenrollment

June 19, 2016, 9:38 am
$
0
0

I have demoted my rodc for some reason cleaned up all the metadata, again reinstalled using dcpromo.

But after installation when i am trying to time sync my RODC with my AD-DC it is throwing error with event ID-6 & 13 for the auto enrollment of certificate.

Certificate enrollment for local system failed to enroll for a domain controller certificate with request ID N/A from AD-DC.domain.in-CA(the RPC server is unavailable. 0x800706ba(WIN32:1722)).

But i am getting this error in this RODC only, we have 6 more RODC in our domain.

I tried googling it & everyone is telling about the domain controller should be the member of CERTSVC_DCOM_ACCESS group, but we dont have this group in our Active directory.

What to do??

2003 Domain controller and planning to upgrade 2012 R2 DC.

June 19, 2016, 11:08 am
$
0
0

Hi Team,

We have setup with 2003 Domain controller and planning to upgrade 2012 R2 DC. Below is specification

We have 10 sites and every site has 2 ADC hence we have total 22 DC which are running with Windows Server Enterprise Edition 2003 R2.

Please tell me what all are the precaution needs to be taken while upgrading to 2012 R2.

Do we need to take precaution for application server as we have some application server which are integrated with AD

Also we have some two-way trust for cros forest domain.

Pradip Sisodiya

Search

Saving LDAP Active Directory query.

June 12, 2016, 6:20 am
$
0
0
I was wondering if there is a method to save the results of a search in active directory for later, offline use. (in Windows 10 or 7). This is because sometimes I need the results of a search after I have disconnected from the network.

NTDS Replication Error

June 19, 2016, 3:52 am
$
0
0

When I ran repadmin /showrepl on one of DC

I am getting the below error

Source: XXX\server
******* 20 CONSECUTIVE FAILURES since (never)
Last error: 1127 (0x467):
            While accessing the hard disk, a disk operation failed even after re
tries.

Can you help on how to resolve the Replication issue

Users have lost their home directories

June 18, 2016, 12:42 am
$
0
0

We created a new domain, tested a few users by logging on. It was all fine. We came across to the customers site to install everything, and the users no longer have a H: (home directories). No idea why. The computers are on the domain, I can ping everything, remote onto servers etc etc. 

The home directories are created in AD. The paths are - \\server\shares\Users\%USERNAME% which did originally work. 

I logged on with a users credentials, I can access the server, i can access the shares folder, but I dont have permission to access the users folder as it comes up with 'don't have the permissions' to access it. I checked the permissions on users profiles and they all have full control. 

Any ideas ? 

DFSR replication SYSVOL broken - error 6002

June 20, 2016, 1:26 am
$
0
0

Hi all,

I've recently inherited the responsibility for our domain controllers, which unfortunately includes a problem with the SYSVOL replication. Some time ago, the SYSVOL replication was migrated successfully from FRS to DFSR. All was fine, until some time ago.

We have 4 writable DC's running Windows 2012 R2 and a few RODC's running Windows 2008 R2.

I noticed that new GPOs weren't available on all domain controllers, except for one DC which is the baseline DC and the PDC Emulator for our domain.

This specific DC generates event ID 6002 in the DFS Replication event log (names changed for security reasons):

The DFS Replication service detected invalid msDFSR-Subscriber object data while polling for configuration information.
 
Additional Information:
Object DN: CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DC02,OU=Domain Controllers,DC=internal,DC=company,DC=com
Attribute Name: msDFSR-MemberReference
Domain Controller: DC02.internal.company.com
Polling Cycle: 60 minutes

My DFSR knowledge is pretty rusty, so I am a bit at a loss here. I did check a few things:

  • I've checked the msDFSR-MemberReference attribute with ADSIEdit on the DC's. They are all fine,except on DC02, where the attribute is empty!
  • The event logs don't show any errors in the DFS Replication log.
  • Everything else seems to be in order: no issues with replication of user objects, DNS, whatever


My question is: how do I re-establish the replication? Do I need to rebuild the entire thing, will setting the msDFSR-MemberReference on DC02 work?

I found this article, but I am not sure if this is the way to go: https://support.microsoft.com/en-us/kb/2218556

Any ideas would be appreciated.

Thanks!

Regards,

Erwin G.


Application not working with domain local group

June 20, 2016, 1:39 am
$
0
0

We have one parent domain and three child domains? We are implementing an application. We have specified a universal group (

members of this group can log on to the application portal). Users are able to authenticate when they are part of Universal group, however they are unable to authenticate if they are part of domain local group. Any idea?

How to make AD automatically create replication link between Hosting center to all campus sties

June 20, 2016, 9:14 am
$
0
0

Hi All,

We have one Data Center (Hosting Center) and 50 branch offices (Campus offices).

When I look in AD, a site link for each branch office is created between campus office and hosting center.

But when I go to Campus office DC>NTDS Settings, I see automatically created links between two branch offices and no connection Hosting center DC.

Between campus offices WAN is not good

But between branch office and hosting center WAN link is good.

How do I get AD to generate <automatically generated> connection in such that it is created between campus office and hosting center but not between campus offices.

Thanks you ....



Trust between two forests end with No Logon servers available to service the logon request

November 19, 2009, 12:47 am
$
0
0
I have very strange problem with domain trust between two forests.

I have forest A and forest B .Forest A is domain1.local and Forest B is domain2.local
When i try to create and validate  forest trust between the domains i stuck on an error :
The trust cannot be repaired because: There are currently no logon servers available to server the logon request.

I have checked a hundred times DNS lookup problems,Host files and networks connections.It still not working
The connections is like this :

server.domian1.local <-------Router------->Server.domain2.local
Routing table and firewall are fine .Im am using Windows 2003 Standard Server on both Sites.Domain function level and forest function level are Windows 2003 .

After months of investigating that error i create another forest in site B and try to create trust between the 3 domains.It works fine
The new configuration is like this

server.domian1.local <----router--->server.domain2.local -----Switch ----server.test.local

Trust between test.local is working fine with domain2.local and domain1.local .The only problem is when i try to create trust between domain1.local and domain2.local.

DCdiag on both problem domains shows no fatal errors,dns lookup is ok,wins server if OFF.
DNS servers on both domains are configured with conditional forwarders

domain1.local can create trust with another forest - mycompany.local and is working fine .The forest contains only one domain controller.

Any bright ideas ?
Search

KDC reports incorrect etypes after level change from 2003 to 2008 R2

June 15, 2016, 7:25 am
$
0
0

A couple of years ago we added Windows 2008 R2 Domain Controllers to our Windows 2003 domain and completed the process of moving off of the old 2003 to the new and finally changed the functional level to 2008 R2.  As far as everything we were using things were functioning as expected.  However here recently we've been working on enhancing our GPO configuration for our desktops to increase security.

One of the changes we made was based off of DoD STIG settings and according to MS documentation was supported by our W7 & W10 machines connecting to our Windows 2008 R2 domain.

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Configure encryption types allowed for Kerberos -> checking only AES128, AES256, & Future

After that change was made though the test machines (w7 & W10) all started getting popups telling them they needed to lock their machine and log back in because the password was out of sync.  Doing so did not resolve the issue and then if you tried to change the account password from the computer you get an error about the KDC not supporting the encryption requested.  The following error was logged in the Domain Controller too.

While processing an AS request for target service krbtgt, the account USER_ACCOUNT did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18  17  3. The accounts available etypes : 23  -133  -128. Changing or resetting the password of USER_ACCOUNT will generate a proper key.

Researching etypes 18 & 17 are AES128 & AES256 which is what I expected but then on the Domain Side its telling me it only supports RC4 and I couldn't figure out what -133 & -128 were.  So I did more research and was assuming the domain when upgraded just never added the AES options so I started delving into klist & ksetup.  However I started running into errors.

ksetup /getenctypeattr MY.DOMAIN
Query of attributes on MY.DOMAIN failed with 0xc0000034
Failed /GetEncTypeAttr : 0xc0000034

ksetup /AddEncTypeAttr MY.DOMAINAES128-CTS-HMAC-SHA1-96Query of attributes onMY.DOMAINfailed with 0xc0000034
Failed /AddEncTypeAttr : 0xc0000034

So I was messing around with klist on the machines that couldn't login and were throwing the error on the Domain Controller.

klist
Current LogonId is 0:0x123456789
Cached Tickets: (0)

Then I ran it on any of our other machines that did not have the new GPO changes and was a bit surprised to see everything in my domain is already using AES256...

Current LogonId is 0:0x123456789
Cached Tickets: (1)
#0>     Client: USER_ACCOUNT @ MY.DOMAIN
        Server: krbtgt/MY.DOMAIN @ MY.DOMAIN
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 6/15/2016 9:47:25 (local)
        End Time:   6/15/2016 19:47:25 (local)
        Renew Time: 6/22/2016 9:47:25 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

So while my KDC is not advertising it does AES once a machine talks to it then it starts actually using AES.  I went back to that GPO value I set and added to let it request RC4 and as soon as I did that those test machines all started talking to the KDC, got new tickets, the popup stopped showing, and all of the tickets were AES.

So yippy I'm actually running in the level I was trying to enforce but in order to do it I have to allow the ability to down level to RC4...

I've done a bunch of research online and I can't seem to figure out how to get the KDC to correctly report what it supports so that I can remove the usage of RC4.

Systems Administrator Senior - University of Central Florida

DC Shutdown

June 20, 2016, 11:13 am
$
0
0

Hello,

I have a scenario where I need to shutdown 5 DCs for a datacenter move; they will all be brought back online within 6 hrs (latest).

Site1 > dc1, dc2, dc3  all dcs in site shutdown.

Site2 > dc4, dc5  > all dcs in site shutdown.

Site3 > dc6, dc7 > all dcs in site remain up.

Before shutdown, I am moving all fsmo roles to dc6 (currently on DC1). No IP settings are changing.

Is there anything else I need to do to prepare for this?

thanks,

Zach

AD LDS - Sync from AD?

June 20, 2016, 12:14 pm
$
0
0

Like many of you, we continue to get in new Apps that are looking for specific attributes that would require expanding the Schema and rather than do that, I'd like to figure out AD LDS, but I'm having only a little luck in doing so.

I used the two following links as resources:

https://windorks.wordpress.com/2014/09/02/syncing-lds-to-ad-ds/

https://blogs.technet.microsoft.com/askds/2012/11/12/adamsync-101/

I have a specific OU structure in AD DS that I'd like to Sync to the LDS instance, but if I specify that OU structure, I end up with a synclog message of:

Ldap error occured.  ldap_search_ext_s: Unwilling to Perform.

That results in nothing sync'ed.

However, if I change the MS-AdamSyncConf.xml's "source-ad-partition" to just my "Base" Domain's ldap FDN(DC=cc,DC=mytestdomain,DC=org), the "guest" account from the Domain Controller's AD will sync...so I can sort of get something to sync, but obviously, I'm missing a thing or two.

Any ideas from those that conquered the mountain of mystery that is LDS?

Thank you

List out all email addresses along with user properties while extracting group membership

June 20, 2016, 11:18 am
$
0
0

I have a very specific requirement: I'm working on an environment that has AD 2012 and Exchange 2010 SP3. I have a distribution group, whose membership I have to extract—recursively. However, while doing this, I also need all the email addresses a certain user has. I'm using the following query; I'm making a major mistake somewhere in the script. I need help with the right one.

function Get-RecursiveGroupMembership
{
    $Members = Get-ADGroupMember 'The Huge Group' -Recursive `
    | Get-ADUser -Properties Name, EmailAddress, Office, Department, City, Company, EmployeeNumber, Enabled, Manager, StreetAddress, Title `
    | select Name, Enabled, SamAccountName, EmailAddress, EmployeeNumber, Title, Department, Office, Company, StreetAddress, Manager

    foreach ($Member in $Members)
    {
        New-Object PSObject -Property @{
            "Name" = $Member.Name"User ID" = $Member.SamAccountName"Email Address" = $Member.EmailAddress"Office" = $Member.Office"Department" = $Member.Department"City" = $Member.City"Company" = $Member.Company"Employee Number" = $Member.EmployeeNumber"Status" = $Member.Enabled"Manager" = $Member.Manager"Street Address" = $Member.StreetAddress"Title" = $Member.Title"Other Email Addresses" = Get-Recipient -ResultSize Unlimited -Identity $Member.SamAccountName | Select-Object @{Name="EmailAddresses"; Expression={[string]::join(";",($_.EmailAddresses))}}
        }
    }
} Get-RecursiveGroupMembership

Particularly, I need help with the Other email addresses part. When I export it to CSV, the column gets@{EmailAddresses=System.Object[]} instead of all the email addresses tagged to that person, and that,in separate columns.

I get @{EmailAddresses=smtp:email@domain.com;smtp:emailtwo@domaintwo.net;smtp:email@d‌​omaintwo.net;smtp:email@domainthree.com, all in the same cell. I need them to be formatted cleaner, and in different columns.

Making another zone in AD DNS question

June 20, 2016, 1:58 pm
$
0
0

Hi All,

This is only partially an AD question but here goes:

I have a DMZ network with two Windows Servers running the DNS role. They're for public facing services such as ADFS Proxy, etc... So the domain name is: MYNAME.COM

In my LAN, I have Active Directory and Active Directory-integrated DNS:- GLOBAL.MYNAME.COM

How could I make another zone for MYNAME.COM on AD DNS? So that I can make a split-brain DNS environment.

Thanks

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>