Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Operations Masters Error

August 3, 2016, 7:02 am
$
0
0

Hello,

I have 3 domain controllers currnetly in our domain, DC1 , DC2, DC3. DC1 was the first DC in our domain and has been active for the past 6 years but we are now wanting to power this down because we are moving out of the datacenter housing that DC but DC2 and DC3 will remain active.

I just went to check the operations masters and I see on the RID, PDC, and Infrastructure the operations master states "Error" and then below that it shows DC1 but it also states "The current operations master is offline. the role cannot be transferred." Also when I go to MMC and open Active Directory Schema I see that DC1 is the master there as well. But when I attempt to open Active Directory Domains and Trusts I get an error:

"You cannot modify domain or trust information because the Primary Domain Controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator for the current domain and the network are both online and functioning properly."

The goal here is to change all of the Operations roles to DC2 but as of right now it looks like the operations role are in an error state and I would like get them out of an error state before moving forward.

Search

Slow Intrasite replication

August 3, 2016, 8:44 am
$
0
0

Hi,


I am trying to diagnose an issue with slow replication between ADDS GC servers. They are on different subnets, connected via high speed WAN link over VPN.


Within Sites and services they are all defined properly.


I have found many articles on the differences between site to site replication and intrasite, but not how to debug beyond using DCDIAG, which reports as healthy. Repadmin shows very low replication times.


Any thoughts or suggestions would be appreciated.

Kerberos Event ID 4768

August 3, 2016, 12:06 pm
$
0
0

My primary question is:


Should an Event ID 4768 be generated when switching a laptop from wired to wireless interface and from wireless to wired interface?   If so, how do I troubleshoot the lack of said events on my domain controller event logs.

Particulars:

I am working with an application that uses an Event 4768 to capture the IP address of the computers logged onto and map it to the username.  It captures most of the mappings needed, but in one instance the application can not create a mapping.   

I've confirmed from my Domain Controller Security Logs that there is no Event ID 4768 generated when a computer changes the interface used to connect to the network.  When laptops are moved around the network, there is no Event ID 4768 logged.  The biggest example of this is when a laptop is "undocked." When "undocked," the interface changes from it's 10/100/1000 Ethernet to it's Wireless Ethernet.  There is another smaller use case with pcs that start out in a conference room and then dock.  In these instances,  each time a "docking" or "undocking" occurs, the IP address changes.  With no Event ID 4768, the mapping between IP address and username is incorrect.  

The vendor of the application believes this is a problem with Active Directory event logging.  The vendor says that there should be an Event ID 4768 when a computer changes interfaces. 

My testing:

Logging onto a PC  - Event 4768 generated

Locking and Unlocking a PC - Event 4768 generated

"Runas" on a PC - Event 4768 Generated 

Switch from wired to wireless - No event 4768 generated 

Switch from wireless to wired - No event 4768 generated.

Is my testing showing a correctly functioning Security Event Log from AD or there something I need to troubleshoot.

Any help is appreciated.

Steve

why gpsvc send traffic to WNS(Windows Push Notification Services)?

August 4, 2016, 2:31 am
$
0
0
When a client join domain and restart, the gpsvc will send the TLS traffic to the WNS(Windows Push Notification Services(*.wns.windows.com)). Why gpsvc send traffic to WNS? If we block the traffic to WNS, will it impact the group policy's function? Thanks

Add-kdsrootkey child domain

November 27, 2015, 12:45 am
$
0
0

Hi,

I have the following configuration. 

Forest: ms-opsmgr.eu
Domain: ms-opsmgr.eu
Child Domain: dev.ms-opsmgr.eu

Now I want to start using Managed Service accounts. 

When I run the following command on the domain Controller add-kdsrootkey((get-date).addhours(-10))  on the ms-opsmgr.eu domain everything is working fine. 

When I run the command: add-kdsrootkey((get-date).addhours(-10)) in the child domain: dev.ms-opsmgr.eu. I am getting the error: "Request not supported" The user is member of the domain-admins group and I run the powershell command ass administrator. 

What I'am doing wrong? 

Hope someone can help me?

Greetings Roel Knippen

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

ADC Replication using 20 -30 GB in 24 Hours in a day

July 22, 2016, 2:19 pm
$
0
0

I've 186 ADC.

In Replication it's using high bandwidth & the total utilization is approx 20 - 30 GB in a day.

Cannot Get External Time Sync To Work With PDC - No Matter What

June 22, 2015, 6:47 am
$
0
0

We have a really strange issue here with our setup on our new 2012 R2 DC with the PDC role. We cannot get it to synchronise with an external time source and it always reverts to Local CMOS Clock.

Firstly it's important to mention that this machine is running as a VM under ESXi 6.0 which has "Synchronize guest time with host" switchedoff under the VM properties.

These are the steps I have run through and where I am with it. 

C:\Windows\system32>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

C:\Windows\system32>w32tm /unregister
W32Time successfully unregistered.

C:\Windows\system32>w32tm /register
W32Time successfully registered.

C:\Windows\system32>net start w32time
The Windows Time service is starting..
The Windows Time service was started successfully.

C:\Windows\system32>w32tm.exe /config /manualpeerlist:"1.uk.pool.ntp.org" /syncf
romflags:manual /reliable:YES /update
The command completed successfully.

C:\Windows\system32>w32tm /config /update
The command completed successfully.

C:\Windows\system32>w32tm /query /peers
#Peers: 4

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.6093371s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.7187111s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.8280879s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.9374612s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

C:\Windows\system32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 1.uk.pool.ntp.org (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)


C:\Windows\system32>w32tm /resync /force
Sending resync command to local computer
The computer did not resync because no time data was available.

I am under the impression that everything is set correctly so I cannot understand why it refuses to synchronise each time. I have tried different time servers such as time.windows.com and another local one which all achieve the same results.

Once again, time synchronisation within VMware tools is definitely off.

Hide headers on ADFS 3.0

June 21, 2016, 12:14 am
$
0
0

Hi,

I would like to hide the information on my ADFS server such as Server : Microsoft-HTTPAPI/2.0

But I couldn't find a way to do it.

I already tried the key register...

Thanks

Search

Setup DFS, new AD site

June 5, 2016, 12:33 pm
$
0
0

Good morning all.

I would like to ask some questions, i am newer to DFS implementation.

I currently have one main site and a branch office, connected via VPN.

The WAN link often goes down or very very slow, so wo wold like to implement a DFS, with a node implemented on the branch office.

I cannot use the branchcache feature because the server in the main site is a 2008, not R2. I would like to know if I am on the right way.

First i will deploy the new server on the main site, join into the domain as a member and synchronize the data between the two servers.

After i will create the new AD site, bring the new server at the branch office, make it a domain controller and create the DFS structure and replication.

Is this procedure correct?

Thanks in advance.

Regards,

Luca

Domain Group plicy not applying on another PC for same user account

July 20, 2016, 5:14 am
$
0
0

Hi,

I've set up  group policy for each of our departmetns.

Users in the right OU, the policy linked to the container - very simple drive mapping

The policy works fine for user1, user2, user3 ... on PC1

However the same policy does not work on PC2 for any of the above users.

gpresult /R shows that the client PC sees users being in right domain/OUs

gpupdate /force shows sucessful on PC2 however doesn't ask to logoff as on PC1

The mapped drive does not apply on PC2.

rsop on PC2 with any of the clients shows access denied

The group policy resoults on the server side pointed to PC2 show - RPC server is unavailable

It also sais to check is Windows Management Instrumets are enabled <- not sure on that one where it is in the system.

If you could throw more light on this situation I would be very grateful.

With regards, Peter


Is there a 3rd Party tool that allows Password reset Self Service for AD LDS users

August 4, 2016, 2:51 am
$
0
0

Hi All,

Please does anyone know if there is a 3rd party tool that allows AD LDS users to change/reset their passwords by themselves?

so far have tried the solution by The DotNet factory http://www.adselfservicesuite.com/mypassword.aspxbut had issues connecting to port 636

Kind Regards

Louis

thanks


Active Directory password change by schedule automation

August 4, 2016, 1:59 am
$
0
0

Hi,

Does anyone familiar with a tool/power-shell script that I can schedule a password change for AD user?

For example: I have a user that leaves the company in the end of the day. I want to execute a command to change his password on the moment I received the request to close his account..

Thanks!

Configuring Kerberos Authentication for certsrv web application

July 26, 2016, 12:48 pm
$
0
0

I'm trying to configure Kerberos authentication for use with the certsrv web application on Windows Server 2012R2. I've set the providers to be Negotiate:Kerberos in the Authentication settings in IIS for certsrv yet every time I try to login using Kerberos I get an Invalid Username/Password error. This does not happen when I login using NTLM. 

Any guidance?

bulk Update attribute in AD, best way to get this done?

August 1, 2016, 1:43 am
$
0
0
Hi All

I have a question on something I need to tackle within my enterprise.

We about to purchase a solution which integrates our smart cards with Active Directory to facilitate room bookings in our building.

For this to work I need to add a specific number as a Active Directory attribute or custom attribute.

Doing this for every user will be a major pain so I am looking at a solution to do this at a bulk level.

I hear products built into Windows like 'csvde' may be able to help or other 3rd party paid tools which have a GUI interface.


I am thinking of using either the 'pager' attribute under AD, telephones tab or using a custom attribute field. However I will need to use Exchange Administrator tools to view this field as I believe its not possible to see this under AD users and computers?

As the users are already created, I just need to update the 'pager' or 'custom attribute 1' field without amending any other details. Would this be possible?

I have a test AD environment which a copy of the live AD environment.  I am planning on testing this before I roll out to live production. I have details of users and their card number but I also need to extract of copy of the usernames in AD so I can marry the two data sets together.

Appreciate any advice anyone can give me with this.

unknown AD user accounts (deleted in past) are showing up as S-1-15-21-579150784

July 29, 2016, 1:37 pm
$
0
0

whenever a windows user account is deleted in windows 2008 AD environment ..it still shows as "S-1-15-21-579150784-1645022514" (unknown account) in windows file/folder security .is it possible to translate these weired numbers to orignal AD user name ? as I need to run a report for files/folders this user created in past.. so that I can remove them
 OR atleast I can ensure that I am removing right user enterie from folders securities. And would there be a impact of deleting such enteries ? or is there any cleanup utility for AD to cleanup this ?

Search

8524 The DSA operation is unable to proceed because of a DNS lookup failure.

August 4, 2016, 3:33 am
$
0
0

I have newly dcpromo a DC from DR site to join our domain, after that I checked my DC event logs and found errors showing as below:

I also searched the web and many suggest thats the CNAME or DNS issues. But I have no clue what exactly to check for CNAME or DNS.  please help

Thanks

Kin

____________________________________________________________________________

The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
DC=domain,DC=local
Source directory service:
CN=NTDS Settings,CN=WN2QADDN1AP0001,CN=Servers,CN=WuHanDRSiteLink,CN=Sites,CN=Configuration,DC=domain,DC=local
Source directory service address:
b6bfd3d6-ea13-4b7c-bb0e-e0b8fde1d323._msdcs.domain.local
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local
 
This directory service will be unable to replicate with the source directory service until this problem is corrected.
 
User Action
Verify if the source directory service is accessible or network connectivity is available.
 
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.

___________________________________________________________________

Replication Summary

Replication Summary Start Time: 2016-08-04 18:30:32

Beginning data collection for replication summary, this may take awhile:

  .......

Source DSA          largest delta    fails/total %%   error

 HKSCADDNP1                43m:08s    0 /  10    0 

 HKSCADDNP2                43m:11s    0 /  10    0 

 HKSCADDNP3                44m:55s    0 /   5    0 

 WN2QADDN1AP0001     (unknown)        0 /   3    0 

Destination DSA     largest delta    fails/total %%   error

 HKSCADDNP1                43m:11s    0 /   8    0 

 HKSCADDNP2                44m:55s    0 /   5    0 

 HKSCADDNP3                37m:05s    0 /  10    0 

 WN2QADDN1AP0001           43m:09s    0 /   5    0 

 ___________________________________________________________________________

How to know the server where the user has logon

August 4, 2016, 2:16 am
$
0
0

Hallo:

  I'd like to know if there is a way to know the server where a user has logon.

  From user computer, there is the "LOGONSERVER" variable.

  But, I can ask the Active Directory what server has the user logon?

    Thanks

Felipe García

Lync/Skype 2016 GPO to disable chat logging

October 29, 2015, 10:00 am
$
0
0

Support,<o:p></o:p>

We
are deploying Office 2016 to our end users and would like to make sure that
conversation/chat logging is disabled through Lync/Skype. We have already
installed the Administrative Templates for 2016 on our Domain Controller. Is
there a policy we can create through AD that will disable that feature?<o:p></o:p>

Thanks.<o:p></o:p>


Group Policy does not apply to some users!

August 4, 2016, 2:13 pm
$
0
0

Hello!

I have configured policy for several users, but some of them do not see policy applied and even in gpresult /R.

I have added accounts in Security Filtering.

When I add PC accounts of problem users or authenticated users group to Delegation tab with read rights then policy applies even to problem users too.

What's wrong?

Thank you

Internal and external site IP addresses are the same. Need help resolving.

June 30, 2016, 2:14 pm
$
0
0

One of our clients has their site hosted locally (not a live site, I believe used for testing etc.), and their public site. Both sites report to have the same IP address. One, lets say is ExampleRealty.local and ExampleRealty.com. If you are inside the network and attempt to access the .com site, you will see the .local site (thinking it's the .com site), if you are outside the network, you see the correct .com site. How can I get anyone internally to see the correct .com site (and not the .local site)?

Any suggestions and help would be greatly appreciated.

D.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>