Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

New 2012R2 DC is not replicating DNS

September 15, 2016, 5:27 am
$
0
0

I am in the process of replacing a 2008 R2 DC with a 2012 R2  DC. DCpromo of the old Server is complete.  Promoted the replacement.  RepAdmin /ShowRepl returns a happy report.  All connections report that the last attempt was successful.I was seeing problems with DNS not replicating.  Changes were not replicating to and from the new DC.

Ran DCDiag /test:DNS and the DC in question fails the connectivity test with the glaring error:

Starting test: Connectivity
* Active Directory LDAP Services Check
         The host e2fdf070-0ae5-4798-9787-cbd4ececcf4e._msdcs.DomainName.org could
not be resolved to an IP address. Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.

......................... ServerName failed test Connectivity

Is this something that I can safely manually edit?  Thoughts on best course of action?


Search

DCPromo fails removing 2008 R2 Core DC from forest.

September 8, 2016, 12:06 pm
$
0
0

I am trying to DCPromo down a Windows 2008 R2 Core Domain Controller down to a member Server and receive the message:

The operation failed because:

Active Directory Doamin Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=DomainName,DC=org to Active Directory Domain Controller \\Servername.DomainName.org

"The naming context could not be found."

Active Directory Domain Services was not removed.

DCDiag does not produce meaningful errors.  

Any thoughts?

Single Cert Server to two-tier PKI migration

September 15, 2016, 8:22 am
$
0
0

We have single Cert Server running on Windows 2008 and would like to move onto Windows 2012 R2 with two- tier ( offline root CA and Issuing CA) PKI solution.

What is the best practice to move from single cert server ( named certsrv) to two-tier cert server  solution?

As root CA as well as Issuing CA are on same server with name "certsrv", if I install offline root CA ( named RootCA) and domain joined Issuing CA ( named IssuingCA) , how the existing clients can get new / renew certificates from new PKI without any business interruption?

How can we publish RootCA certificate on all clients ( computers and users) as trusted rootCA ?

Would some one direct me the step by step guide to move single CA to two-tier PKI ?

Thanks in advance

Tek-Nerd

TrustAnchors OU question

September 14, 2016, 2:23 pm
$
0
0

In ADUC under the following: DC=TrustAnchors,CN=MicrosoftDNS,CN=System I see 3 objects (DNSNode)... I have 3 domain controllers all 3 are 2012 R2, 2 of the objects in the TrustAnchors OU is the DC's, the 3rd object is an @ symbol... It does not contain the 3rd domain controller.

How can I add the missing domain controller?


Convert Mobile Phone numbers to e-mails

September 15, 2016, 12:39 pm
$
0
0

Hello,

At my company we are trying to implement a system to send alerts to employee mobile phones through e-mail. Is there a way through Active Directory to convert the mobile phone numbers of our users to email addresses? Example: 5555555(at)vtext.com

From this, I need to be able to create a distribution list that selected users can send alerts through. Thank you for your help.

SRV 2000 error ID after promotion to DC - Windows 2012 R2

September 12, 2016, 1:39 am
$
0
0

A customer is facing this error on all DCs.

There are 3 DCs in 2 AD sites. The error is constant and remains after a migration of the two DCs of the main site to Windows 2102 R2. The same error existed in the old Win 2008 R2 DCs too.

Log Name:      System
Source:        <g class="gr_ gr_80 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="80" id="80">srv</g>
Date:          12/09/2016 10:30:30
Event ID:      2000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srvdc2.sorelleramonda.local
Description:
The server's call to a system service failed unexpectedly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="srv" />
    <EventID Qualifiers="49152">2000</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-12T08:30:30.226906400Z" />
    <EventRecordID>241555</EventRecordID>
    <Channel>System</Channel>
    <Computer>srvdc2.sorelleramonda.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>\Device\LanmanServer</Data>
    <Binary>0000040001002C0000000000D00700C00000000002030980000000000000000000000000000000002C03C516</Binary>
  </EventData>
</Event>

Binary data:

In Words

0000: 00040000 002C0001 00000000 C00007D0
0010: 00000000 80090302 00000000 00000000
0020: 00000000 00000000 16C5032C

In Bytes

0000: 00 00 04 00 01 00 2C 00 ......,.
0008: 00 00 00 00 D0 07 00 C0 ....Ð..À
0010: 00 00 00 00 02 03 09 80 .......€
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 2C 03 C5 16 ,.Å.

I have tried to uninstall AV and a monitoring tool. I also try to troubleshoot the issue using Process Monitor, but I did not find anything relevant.

Your help to this matter will be high appreciated. Thanks a lot,

Enrico Giacomin





AD Account locking out frequently

September 15, 2016, 11:21 pm
$
0
0

HI Everyone,

I have a question about an issue which i am facing.Kindly help me if any one have any idea about it.

 I have some users whose accounts always get locked out of the domain,

I have to manually unlock it like every 3 minutes. Please I need help in knowing what the issue is.

Thank You!


Creating a low very low priviled user in the domain - User is member of DOMAIN GUESTS ONLY - no Domain Users

September 15, 2016, 11:00 am
$
0
0

The goal here: To create a DOMAIN user to use in a "kiosk machine", with the lowest local and domain possible privilege 

There is a public machine (Win7), on boot we MUST have autologon enabled (arrgh, tech people does not make the rules)

AND

a domain user has to be used because of a windows AD integrated application with single sign on in the web application (IE)

So, i´ve created a domain user, added to domain guests, turned domain guests into the primary group and removed domain users form the membership.

There is a problem? Can a user be member only of the domain guests (and local guests group) and no other groups?

The idea here is to avoid user being able to see shared folders and other resources availab le to authenticaed users (and everyone with equivalence) or users or regular global and local groups

Search

DFSR not function

September 16, 2016, 3:36 am
$
0
0
Good morning.
The situation is the following:
Server1: 2012R2 domain controller
Server2: 2012R2 domain controller

The DFSR fails or better is not the report warns. In ADSIEDIT I do not find the values needed for the proper functioning.
I tried to recreate these values by copying them from a domain controller for a different customer with the same operating system.
Does not work.
I tried to add a new domain controller (server3) in the vain hope that forces the creation of the necessary parameters.
It is seen as a domain controller in AD, but no voice sync DFSR is created.
Do you have any further ideas?
Thank you all for the help.
Roberto

Event 4624 and 4634 frequency

September 16, 2016, 3:48 am
$
0
0
How frequently the events 4624 and 4634 come to a domain controller? As 4634 is not the actual logoff event, so can I assume that a user has been logged off if domain controller doesn't get a pair of 4624/4634 from a workstation (specified by the ip address in the event)

The extended server error is: 000020E7: SvcErr: DSID-03152DB9, problem 5003 (WILL_NOT_PERFORM), data 1317

September 12, 2016, 1:39 am
$
0
0

I am facing following error while trying to create userProxy Object in my AD LDS instance.

Error Coming:

Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x20e7 The modification was not permitted for security
 reasons.
The extended server error is:
000020E7: SvcErr: DSID-03152DB9, problem 5003 (WILL_NOT_PERFORM), data 1317


Command Executed:

c:\UserProxyFile>ldifde -i -f userProxyTest.ldf -s <MachineName>:50389

<MachineName> : i have provided name of machine where my AD LDS instance running.

Please note i am trying to run this command from the same machine where AD LDS running.

userProxyTest.ldf  File Content:

dn: CN=TestAuthProxy,CN=ProxyUser,CN=Roles,DC=mylds,DC=test
changetype: add
objectClass: top
objectClass: userProxy
distinguishedName: CN=TestAuthProxy,CN=ProxyUser,CN=Roles,DC=mylds,DC=test
objectSid:: AQUAABTOx8jPWdbTcA7w7xHxHE2n9SKmo0xXPw==

Things which Tried:

1) As per our knowledge inside object Sid need to provide sid of existing user object of AD LDS instance. for which we need to create User Proxy object. hence i have mentioned exactly same sid of that user by exporting the user/person object details from the my AD LDS account.

Suppose in my LDS -> User Object Called Test User exist, then objectSid:: AQUAABTOx8jPWdbTcA7w7xHxHE2n9SKmo0xXPw==  here the ObjectSid is the sid of the TestUser.

This Test User directly created inside the AD LDS its not that user which created under AD DS. and this user is active user.

2) I have also tried with the ObjectSid of other user which is created inside my AD DS instance which running on the same machine but that also not working.

Let me know is there any configuration i am missing or providing any invalid input.

Kindly provide me cause for the error and how i can resolve this error ASAP.

Thanks



Advance audit Policy GPO settings

September 1, 2016, 9:58 pm
$
0
0

Good morning,

How to identify the GPO name from client computer for Advance audit Policy GPO settings.

AliahMurfy

After restoring a DC, how to be sure if safe to boot second DC

September 16, 2016, 6:23 am
$
0
0

Hello.


I have successfully restore AD in a 2008 server domain after having lost lots of users that was deleted by a faulty uninstall of Exchange 2007. All users can now log on, access shares, and there are no errors in the event log.


Before starting the recovery, the second DC was shut down, so that no unwanted replications should take place while the restore process was running.


How can I be sure that it's safe to start the second DC again? Will the time stamp and sequence numbers alone on records in AD be sufficient? I will make sure that the running DC is the master, and that no replication is started from the now shutdown DC and on to the running one.


Ekjellas

Help to place a FSMO Roles

September 16, 2016, 1:27 am
$
0
0

Hi All,

I am little confused to place FSMO Roles on a domain controller.

Can someone please help to place a FSMO Roles on a DC. My setup is below.

Forest Domain: 1 Server (A.com)

Tree Root Domain: 1 Server (B.com)

Additional DC: 2 Servers

Child Domain: 6 Servers

Please let me know how to split the FSMO Roles accordingly on 10 servers.

Thanks,

Sivakumar Thayumanavan

Little typo in polish translation

September 16, 2016, 6:45 am
$
0
0

Hi !

Quick and fast, in BPA - PDC problems there's typo, someone eat letter w from command w32tm

Actual :

 Można również skonfigurować wzorzec emulatora kontrolera PDC w lesie tak, aby synchronizował czas z zewnętrznym serwerem czasu, uruchamiając polecenie 32tm /config /computer:


Should be :

 Można również skonfigurować wzorzec emulatora kontrolera PDC w lesie tak, aby synchronizował czas z zewnętrznym serwerem czasu, uruchamiając polecenie w32tm /config /computer:

Hope, it's right place to such topic. If not please move it to somewhere more appropriate place.

Search

Null SID, Unknown user name or bad password & Event ID 4625

September 15, 2016, 12:40 pm
$
0
0

We are experiencing multiple (30 or so a day at intervals) logon failure alerts for a particular server, but no user name is listed. Looking at this server, we can find no service account not using the proper credentials, cached credentials or scheduled tasks that are running. We will get 8 or 9 alerts at once, then nothing for an hour or so followed by the same alerts. Really having a hard time running this issue down and fixing it.   I've included what logs I could gather from our domain controller and from the reported server below.  Just as an FYI, the initial email alert comes from our SolarWinds LEM.  Thanks!

INITIAL EMAIL ALERT

logon failure "\" at 2016-09-15 12:49:40.0 from Server1 on DC Server1.DOMAIN.LOCAL

Lockout Reason:  unknown user name or bad password.

SECURITY EVENT LOG FROM <DomainController> (EVENT ID 4768)

A Kerberos authentication ticket (TGT) was requested.

Account Information:
 Account Name:  X509N:<S>CN=Server1WebClient
 Supplied Realm Name: DOMAIN.LOCAL
 User ID:   NULL SID

Service Information:
 Service Name:  krbtgt/DOMAIN.LOCAL
 Service ID:  NULL SID

Network Information:
 Client Address:  ::ffff:<x.x.x.50>
 Client Port:  56842

Additional Information:
 Ticket Options:  0x40810010
 Result Code:  0x6
 Ticket Encryption Type: 0xffffffff
 Pre-Authentication Type: -

Certificate Information:
 Certificate Issuer Name:  
 Certificate Serial Number: 
 Certificate Thumbprint:  

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

SECURITY EVENT LOG FROM Server1 (EVENT ID 4625)

An account failed to log on.

Subject:
 Security ID:  SYSTEM
 Account Name:  Server1$
 Account Domain:  Domain
 Logon ID:  0x3e7

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  
 Account Domain:  

Failure Information:
 Failure Reason:  Unknown user name or bad password.
 Status:   0xc000006d
 Sub Status:  0xc0000064

Process Information:
 Caller Process ID: 0x264
 Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:
 Workstation Name: Server1
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  Schannel
 Authentication Package: Kerberos
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

The following error occured attempting to join the domain

March 29, 2013, 4:45 am
$
0
0

Hi,

Our domain controller running on Windows Server 2008. Before this we are using single IP Address to access active directory server.

Now our organization already change the network structure and using multiple VLAN.Our client using windows 7 Pro, cannot join to domain. error "The following error occurred attempting to join the domain "XXX.Local" The specified network name is no longer available.

Below is my test:-

1. Test ping server AD = Successful

2. Test nslookup = Successful

     
C:\>nslookup
Default Server:  biru.itnmb.local
Address:  192.168.42.4

> itnmb.local
Server:  biru.itnmb.local
Address:  192.168.42.4

Name:    itnmb.local
Address:  192.168.42.4

> 192.168.42.4
Server:  biru.itnmb.local
Address:  192.168.42.4

Name:    biru.itnmb.local
Address:  192.168.42.4

3. Test running dcdiag = successful and passed test

4. Telnet from client (all port required joining to domain) = Successful

what can i do?

Thanks,

Ezzy

Ezzy

Client machine is always goes to lock screen fast

September 16, 2016, 7:04 am
$
0
0

Good Morning,

One of our client machine always goes to lock screen that everytime we need to type password.

so how can we change the period more longer than this?

Best regards,

VeasnaYim

Old Certificates Appear as Default in the Address Book

September 14, 2016, 6:46 am
$
0
0

First off, I originally posted this question in an Exchange forum and received a reply from the moderator that leads me to think this might be an Active Directory issue.

Second, I am not an AD administrator.  When I have posed this question to our AD administator, I have gotten the brush off.  I am posting this message in the hopes of receiving some objective opinions.

Finally, I am not trying to solve an existing technical issue.  I am simply trying to collect more information so that I can gain a better understanding of email encryption issues.

Recently, I have seen three cases were a user was having email encryption problems, and in all three cases the issue was caused by an expired default certificate in the address book.  In all three cases:

  • The user had one valid certificate listed in AD.
  • I opened MMC on the client machine and added the Certificates snap-in, and found only one certificate installed on the machine, and it matched the certificate listed in AD.
  • I looked up the user in the address book, did a right-click > Add to Contacts > Certificates button on the ribbon, and found that the default certificate listed for the user was expired.

In one case, the default certificate listed in the address book expired in 2012.  If that expired certificate is not in AD, and it's not installed on the client machine, then where is it coming from?  It has to be coming from somewhere. 

Is it possible that AD is holding on to old certificate information in a location that is not visible through ADUC?  If so, is it possible to clear out old certificate information?

Thanks in advance for any help that you can offer!

--Tom

new Domain Controller is not advertising as a domain controller

September 16, 2016, 2:36 am
$
0
0

Hi,

I promoted a Windows 2012 R2 RODC via Powershell script. The server did not reboot after replication or advertise as Domain Controller although I can see EventID 29223 "This server is now a Domain Controller."

I did not find any usefully infomation on the logs in debug folder,  and "Active Directory Domain Services was shut down successfully. " on EventID 1004

Any idea to resolve the issue? 

Thanks

 

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>