Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADAMSYNC- Constraint Violation

September 27, 2016, 9:52 am
$
0
0

I am working on a Multi Domain AD LDS setup.  I have it almost done, four domains out of five are sync'd.  My last domain, I have this error in my log below.  Many, Many, Many users have been sync'd succesfully before this user.  This appears to be the last user to sync in this OU, as there are roughly 30 other users already sync'd.  

Anyone have an idea? I cant find to much out in the Internets.

A constraint violation occured when attempting to add target object CN=Joe,OU=Associates,OU=Users,OU=People,DC=LastDomain-Com,DC=CUCM,DC=Local.

This could be due to a schema mismatch. This must be fixed before

synchronization can continue.

Ldap error occured. ldap_add_sWC: Constraint Violation. 

Extended Info: 000021C8: AtrErr: DSID-03200BF3, #1:
0: 000021C8: DSID-03200BF3, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)
.

Search

DC replication issue?

September 27, 2016, 9:58 am
$
0
0

Hi All,

We've been recently experiencing logging in issues (trust relationship missing and usernames disappearing or not syncing across DC's).

I've decided to investigate and started with running dcdiag. I've attached the results. Help where to begin sorting this out would be appreciated ! :)

Not sure how to copy and paste the results. If you can help with that as well.


RODC Failure...

September 14, 2016, 8:11 am
$
0
0

Hi,

So I am going absolutely crazy try to configure RODC that will authenticate the clients after credential caching has been done so that the authentication is done on the RODC.

This what I am doing, can some one please tell me what I'm doing wrong.

1.So I configure the clients to get an IP from the DC DHCP and join the clients to the DC. (TESTED AND WORKING)

2.Then I configure the RODC on the DC for Password Retention Policy and set up the RODC Server as a new Server VM. (TESTED AND WORKING)

3.Then I change the RODC primary DNS IP to itself (127.0.0.1) and the alternate DNS as the DC IP.

4.Then I point the clients to use the RODC as the primary DNS IP and the DC as the alternate DNS IP

5.Then I turn off the DC and test the clients to authenticate by the RODC, the clients login but then the network is unknown and not Domain Network. At this point I have checked that the clients IP is something other than what the DHCP has given them it is probably because of changing the primary DNS of clients to RODC IP.

As you can see below the W10, W8 and W7 computers and MAdmin, M1 and M2 clients are allowed in the Password Retention Policy yet the authentication happens only at the DC, am I missing some step.

Could some one kindly please let me know where I am doing wrong.

Thank You Very Much




Get list of users authenticating to DC sites.

September 25, 2016, 7:15 pm
$
0
0

Hi All,

Would like to ask if there's a command that will generate a result of list of users authenticated on specific DC.

Thank you!

Users added to Remote Desktop Users local group on Terminal Server get "No search results" when they use ADUC find option.

September 23, 2016, 4:44 am
$
0
0

Hi All,

Users added to Remote Desktop Users local group on Terminal Server get "No search results" when they use ADUC snapin find option to search any user account. However they can manually navigate to the user accounts from the OU structure using ADUC.

We tried giving List Contents rights in AD to the users who are member of the TS RDP group. However the ADUC find functionality still isn't working.

The ADUC snapin find function works properly for users who are members of the administrators local group on the TS box.

TS Box Operating system : Win2k12R2

Any thoughts?

Regards,

Cool1




Set Terminal services profile path for csv list of users according to Differ sAMAccountName

September 22, 2016, 11:19 pm
$
0
0

Hi,  thank you for you support and help,

It's very discouraging to failed download the code for the

website above cannot open at all.

I look forward to sending me the whole code,


1. my sample format context about the "myfile.csv" as below:

[It's very discouraging to failed upload my code and error]

# Noted:

# 1. the TerminalServicesHomeDirectory and TerminalServicesProfilePath are set according to the "sAMAccountName"

# 2. Would you like to show me the sample format context about the "myfile.csv", such as how many columns need to list?

Any help and guide will be appreciated, thanks a lot!

Branch office AD connectivity

September 20, 2016, 6:42 am
$
0
0

Hi, we have a number of branch offices, or remote data centers rather, where some of the networks are not routed (for various reasons) over the WAN link to the central data center. The remote data center has two RWDCs from the central domain in order to authenticate users and provide domain join functionality etc. These RWDCs are on networks with routes to both the central site as well as the local, non-WAN routed networks. We have AD sites setup with all subnets for all remote data centers as well as the central data center with site links setup in a star topology, all remote sites replicating only to the central data center.

In some scenarios, particularly domain joins, where the client does not yet know its AD site belonging, it will of course query DNS to locate any AD server in the domain. I assume the SRV records in e.g. _ldap._tcp.dc._msdcs.<domainname> will be used. But since these records contain AD servers from other sites, is there a best practice on how to force the domain join to occur towards the local RWDC only? Use "netdom join /domain:domain\dc" seems to be one option but may not work in all install scenarios.

Schematic picture:

Raising Functional Level with Combined DC+CA

September 28, 2016, 2:04 am
$
0
0

Hello All..........We have a Domain Controller that is also hosting Root CA Server based on Windows Server 2008.  The DC does not have any FSMO Roles.  This is the only DC that is based on Windows Server 2008; all other DCs are based on Windows Server 2012.

Question:  We want to raise the Funtional Level to 2012, but we are unable to do so because of the presence of Windows Server 2008-based DC.  We have tried uninstalling the DC Role from the server, but it does not allow as it is running the Root CA as well.  What can be the possible solution to this?

Search

My Head office users are authenticating from RODC in branch instead of HO writable Server .

September 27, 2016, 8:51 pm
$
0
0

Hi Experts 

i have strange issue . 

i have 28 branches with RODC installed with DNS DHCP windows Server 2012 and R2 mixed .each RODC is in its own Site . 

i have 4 RWDC  2 in Head office and 2 in other branches with windows Server 2008 R2 Installed .

i have clients windows 7 and some windows 10 .

the issue is that every user in HO that i am seening is authenticating from Branch RODC  Most of my branches are shutting down their DC after 4 Pm because of electricity issue due to which user is facing Trust Relationship issue  . 

the other issue is that None of our user can change their password when it is expired . except the user whom user and computer attribute (msDS-AuthenticatedAtDC) manually set to our PDC . 

Exclude ActiveSync Traffic from MFA in ADFS 3.0

September 28, 2016, 4:50 am
$
0
0

We have an ADFS 3.0 solution, federated with O365, working with MFA which only requires MFA when users are on the Extranet. This works fine until the users phones try to connect to their mailboxes and then prompt for an MFA password.

I understand that we can change the claim rule in ADFS to exclude ActiveSync traffic but just wanted to confirm the correct syntax for the command and if the exclusion can be removed if it causes unwanted "side effects"?

I've found the required command at the following URL:

https://newsignature.com/articles/bypassing-multi-factor-authentication-using-ad-fs-claims-rule/

Cheers for now

Russell

 

Force password to expire for testing

December 6, 2012, 8:55 am
$
0
0
Is there a way to forcibly have a password expire in AD so I can test the OWA password expiration form?

recycle bin

September 28, 2016, 7:44 am
$
0
0

We are running Windows 2008 R2 Active Directory. I just enabled recycle bin at dsac and then I created a test user for testing deletion restoring. But I looked everywhere and could not find deleted objects container based on the document as belows:

https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-

Have I missed anything? Please advise!

Thank you very much!

What is UDP port 389 used for?

September 28, 2016, 8:36 am
$
0
0

What is UDP port 389 used for?

Answer = LDAP queries. But what I am trying to find out is what happens if this port\protocol combo is blocked on a firewall for example on the PDCE. What happens? what are the implications?

If I run c:>\temp>"portqry /n TargetServer /p TCP /e 389"

I get a stack of responses.   If however I run  "portqry /n TargetServer /p UDP /e 389"

"I get UDP port 389 is listening"

How's this for a guess? With DNS we enable port 53 on tcp and udp. I believe UDP is enabled and used if the DNS payload breaches that. that TCP can hold. So is the same thing going on here with LDAP UDP port 389 in that the payload is too much for TCP and so UDP get's used? I have searched Microsoft and can't see a reference to what it actually does or the implication of turning it off.

This is related to a problem I am looking at and not just a nice to know type thing.

Thank you for looking.

How to Script for Active Directory

September 28, 2016, 8:20 am
$
0
0

Dears,

i hope you are doing well.

this is my first time at your social technical forum. i am engaged in a project that integrates with active directory and impact user login process. the case is that when i need to edit user settings i have to do this for every user which takes long time. i need to learn how to right scripts for active directory that change specific attributes in the schema and simulate what i have to do manually for each user. i am not experienced in this domain so please i need to know the right materials and topics i have to cover to be able to do this task

thanks and looking forward to your assistance and support

Domain join fails when using PowerShell but works when done manually

September 28, 2016, 3:19 am
$
0
0
I'm scratching my head because of this. When using PowerShell to join computer domain using "Add-Computer" I get Access Denied error but when done manually from Windows it works. Same account is used to join computer to domain. Any ideas? 
Search

link contact to user??

September 28, 2016, 9:14 am
$
0
0

is there a way to link a contact to the corresponding user account?    we want to create a bunch of new Contacts in AD, and each contact will correspond to an existing user account in AD.   

User ID: John Q. Public

Contact: John Q. Public

Or are they always going to be separate records within the AD database?

mqh7

IPv4 and IPv6 in Dualstack for ADDS - prefer IPv4

September 20, 2016, 2:46 pm
$
0
0
Hi @all,



I have 2 datacenters, which were both behind a NAT Router connected via site2site VPN.

Now I've got IPv6 and IPv4 enabled through my ISP in a real dualstack configuration. Means I have a real IPv4 and a real IPv6 address.

Having only IPv4 the domain controller replicated through IPv4 there was no problem at all.

Now since I have IPv6 assigned to both sites they want to communicate via IPv6 preferably, but cannot since there is no Direct Access or anything configured and my domain controller replication is curently not running.



Is there a switch available to tell the domain controllers to communicate via IPv4 preferably?

cheers,

Matthias



DsRemoveDsServerW error 0x5(Access is denied.) when removing failed 2003 DC using NTDSUtil

February 9, 2011, 7:05 am
$
0
0

Hi,

I have a failed 2003 SP2 DC (hardware failure) and I've already seized the FSMO roles onto another DC.  Currently, we have two functioning DC's.  The ones still functioning are 2003 SP2 and a 2008 RTM SP2 in a Windows 2003 domain functional level.

I've read through this link and I'm having the same issue, but I'd rather use the metadata cleanup if I can to make sure it's properly removed.  I am going to reuse the same hostname and IP if possible.

Remove the orphaned DC failed-
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/5dcf30ce-e5d5-4f9b-81e4-d0a49651da06

I've checked to make sure the failed DC's object option for "Protect this object from accidental delettion" is unchecked.  I've even toggled this to see if that was the problem.  I'm also using a user account which is a member of the domain admins, enterprise admins, and schema admins group.  Just to be sure, I've created a new account and added it to those 3 groups, but still no luck and receive the same error.

I've only ran the ntdsutil on the 2008 DC, but will try running it on the 2003.  I doubt this would matter, though?

Any ideas?

metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=CLAY-DC2,OU=Domain Controllers,DC=CLAY,DC=CN
TY".
Deleting subtree under "CN=CLAY-DC2,OU=Domain Controllers,DC=CLAY,DC=CNTY".
The attempt to remove the FRS settings on CN=CLAY-DC2,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=CLAY,DC=CNTY failed because "Element no
t found.";
metadata cleanup is continuing.
DsRemoveDsServerW error 0x5(Access is denied.)
Rory Schmitz

DNS forwarding

September 22, 2016, 6:10 am
$
0
0

Hi,

I am new to this DNS field.

We from ABC.com domain doing a forward to another company domain XYZ.com. We have hooked up to their DNS server meant for our company with limited defined forwards using XYZ defined network connectivity. This is forwarding based on domain and not individual URL.

Now, we want to access some sites of int.XYZ.com over the internet, but my forwarder is forwarding all the traffic to XYZ.com through his defined connectivity and not searching the open internet.

Is there a possibility of placing some exceptional rule to this forwarder over the net to access int.XYZ.com over the internet.

Thanks.

Active directory/domain controller issues

September 23, 2016, 8:23 am
$
0
0

I have a problem with my server.

1.I have one single server. Had an issue with the name so we had to change it but failed because it gave errors

2. we eventually resorted to just removing it using dcpromo and then reinstall

After that i run dcdiag and i get the below.

PLEASE HELP

C:\Users\Administrator.APPLSRV01_REPRO.000>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = APPLSRV01_REPRO
   [APPLSRV01_REPRO] Directory Binding Error 5:
   Access is denied.
   This may limit some of the tests that can be performed.
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\APPLSRV01_REPRO
      Starting test: Connectivity
         The host 6e28fae2-6aab-40cf-bbb2-efa9a32ec1a1._msdcs.internal.repro.co.zm could not be resolved to an IP address. Check
         the DNS server, DHCP, server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... APPLSRV01_REPRO failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\APPLSRV01_REPRO
      Skipping all tests, because server APPLSRV01_REPRO is not responding to directory service requests.


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : internal
      Starting test: CheckSDRefDom
         ......................... internal passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... internal passed test CrossRefValidation

   Running enterprise tests on : internal.repro.co.zm
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         [APPLSRV01_REPRO] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... internal.repro.co.zm failed test LocatorCheck
      Starting test: Intersite
         ......................... internal.repro.co.zm passed test Intersite

C:\Users\Administrator.APPLSRV01_REPRO.000>

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>