Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

LDAP query against Domain Controller is not working.

September 24, 2016, 1:40 pm
$
0
0

After a Windows server OS patching party and a network equipment reboot party last night, I got an alert from one of our services this morning that LDAP syncing wasn't working.

Using a LDAP tool, I determined that I couldn't successfully LDAP browse to DC01 at this site.  When I browsed to DC02, it worked. 

The error with DC01 is invalid credentials even though the same works with DC02.

I have a DC01 and a DC02 at each site.  For some reason, DC01 is not allowing LDAP browsing.

We did relocated the DC's in the remote offices to an OU where WSUS was configured to look at the computer accounts.

Could moving the DC's out of the DC OU be the issue?  It's been 2 or months prior to the issue this morning.

Insights or suggestions?

Thanks

Ron

Search

getting token for other user

September 25, 2016, 10:56 pm
$
0
0

Hi All,

I want to know how to get the Token number of another user by executing a script .

I have a script from which i can get the token only for the user who runs the scripts but i want to know the token of other user without asking him to run the script

Please assist

Thank you

Viraj

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Error when attempting to change password: "The security database on the server does not have a computer account for this workstation trust relationship."

April 21, 2016, 5:58 am
$
0
0

The error message I'm seeing is "The security database on the server does not have a computer account for this workstation trust relationship." There's nothing wrong with the trust relationship and I have removed a computer from the domain, deleted the AD account, and re-added it to the domain successfully and I still get the same message but only when I am trying to change my password. Below are all the things I have tried unsuccessfully:

  • Removed the computer account from the domain, deleted the account, and re-added the computer to the domain.
  • Tested with domain admin account.
  • Tried changing my password logged in directly into a domain controller.
  • Issue occurs both on manual password change or forced password change.
  • Copied existing account and tried changing the password.
  • Created brand new (not copied) account in AD and tried changing the password.
  • Tried resetting password on multiple computers.
  • Removing Windows updates mentioned online that may cause this issue.

The only things that have worked are:

  • Changing a local user account's password.
  • Changing a domain account password via AD Users and Computers.

Our workstations are Windows 7 SP1 and our servers are Windows 2008 R2 SP1.

Christopher

Event ID: 5719 using 2 network adapters (different ip's")

September 1, 2016, 2:38 am
$
0
0

Hi Technet.

We have a L3 security environment where i have to connect a server 2003 to a second network in order for me to start the migration process to a new host - (vmware services on a separate network)

This is a sql 2000 server running server 2003 r2 ent. (Migrating to server 2008r2 sql 2012) 

Our services network is on a x.x.234.x (inc domain controller x.x.234.50)

Our production network is x.x.235.x (primary for that server) the firewall routes to DNS server on the .234 network.

subnet 255.255.255.128 (both) 

Inorder for me to start the migration i need the 2003 server connected on the services network .234

I have disabled "register this connection dresses in dns" on the .234 adapter.

But within 32H we get a authentication failure.

Event Type:        Error

Event Source:    NETLOGON

Event Category:                None

Event ID:              5719

Date:                     8/30/2016

Time:                     8:53:46 PM

User:                     N/A

Computer:          servername

Description:

This computer was not able to set up a secure session with a domain controller in domain domain due to the following:

There are currently no logon servers available to service the logon request. 

This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

 

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

Data:

0000: 5e 00 00 c0         

If we remove the 234 network, the system works fine.

We have other server E.G "orical" running with the same configuration that is working fine with the 2 network adapters 235 and 234 networks.

Any ideas will be appreciated.

TX


 

Lots of Kerberos Errors (EventID 16) logged on 2012 R2 DC

September 5, 2016, 1:34 am
$
0
0

Hi Community,

we're running an active directory in functional Level 2008 R2 on 2012 R2 domain-controllers (only 2012 R2 DC's!). At the moment we cannot switch Functional-Level to 2012 R2 because we're a huge company and some services cannot work with functional level 2012 R2 yet...

We recognized lots of Events (EventID 16) for both, Users and Clients, on our DC's

Machines (also Windows 10 Clients)
###
While processing a TGS request for the target server GC/DC.DOMAIN.local/domain.local, the account MACHINENAME$@DOMAIN.DOMAIN did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18  17. The accounts available etypes were 18  17  23  -133  -128  24  -135. Changing or resetting the password of DOMAIN.LOCAL will generate a proper key.
###

Users
###
While processing a TGS request for the target server GC/DC.DOMAIN.local/domain.local, the account USERNAME@DOMAIN.DOMAIN did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18  17. The accounts available etypes were 18  17  23  -133  -128  24  -135. Changing or resetting the password of DOMAIN.LOCAL will generate a proper key.
###

I read something about incompatible encryption-types (DES and AES) but this was related to Windows 7 Clients and NOT Windows 10 Clients.

What can I do? Or are these errors by design and can be safely ignored?

Regards
Miranda

Multiple users with the same SID_HISTORY

September 29, 2016, 4:12 am
$
0
0

Hello, we are involved into a domain migration and we need to assign the same sid_history to differents users.

The problem is that we need to leave using generic accounts and start using personal accounts, so the idea is to assign the sid_history of the generic account to each personal account that need to access the folders the generic account can access.

And we problem is that ADMT doesn´t allow us to do that, when we try to assign the sid_history we recieve this error:

2016-09-29 12:09:48 WRN1:7814 A unique match was not found. The source object.......

Any idea?

Thank you so much, and sorry for my english, I do the best I can ;)

Create an 'Administrators' group inside a separate OU on Active directory

September 29, 2016, 12:56 am
$
0
0

Dear Community,

I'm trying to apply a LDAP use case to my Active directory :

- I created a distinct OU to be used for authenticating a particular application in my domain

- Inside this OU, I can create any groups, this way I do not mix the different applications

However for my application, there are requirements to have groups named "Administrators" and "Everyone".

To my understanding, the purpose of an OU is indeed to have potentially duplicated group CN, however, when I try to create the "Administrators" group, I get an error that this group already exists, and I assume that this is the cn=Administrators,cn=builtin,dc=domain,dc=local

What solutions could I try to achieve said effet (the group name is an absolute prerequisite, I can't change that fact ;))

Thanks,

Content Freshness in DFSR

September 29, 2016, 5:05 am
$
0
0

Hi,

Just want to know, what will be the possible impact if we do not enabled Content Freshness/MaxOfflineTimeInDay in DCs

Search

SSO for Google apps and Active Directory

September 28, 2016, 10:20 pm
$
0
0

Hello Professionals,

I came up with a situation and looking for an urgent help. Situation is like as follows:-

I am running an DC with OS 2012 on it. my domain is XYZ.local and I am using a mailing solution from google (Google Apps) and emails are created as fisrtname.lastname@airxyz.com.

I wanted to implement Single Sign On (SSO) for users. So, is there is any way I can do it without restructuring entire domain and migration to newly built domain. To sum it up:

Users login IDs:- xyz.local\firstname.lastname

email IDs:- firstname.lastname@airxyz.com

Any help is highly appreciated.

Thanks,

Simant

User Accounts and UPN's

September 29, 2016, 6:27 am
$
0
0

Hi All,

I know that you can create multiple UPN Suffixes within your AD forest.  I was curious if it is possible for a user to have multiple UPN's.  I believe the answer is no, but I wanted to confirm.  For exmaple, if my AD domain is abc.net and I add def.com and ghi.com as alternative UPN suffixes in my forest can they have abc.net as well as def.com and/or ghi.com?

I'm curious as this could make a transition to an alternative UPN easier for us in the future.

Thank you!

GPO replication check

September 29, 2016, 7:11 am
$
0
0

Hi,

How to quickly Check the newly created or existing GPO Replication status to All Domain Controllers.

We have more than 50 domain controller running on windows 2008 R2. it is very hard to check the GPO replication status on all DC.

Please share your advice.


Access across multiple forest.

September 28, 2016, 4:11 pm
$
0
0

Recently company A merged with company B.  Both companies have domain controllers and root forests.  I have been assigning permissions to resources across the two forest by creating Domain Local group in company B, adding Global and Universal group to company A, and making user a member of global group in company A to access resources on company B.    Since there are two forest, is this the appropriate way to assign permissions? 

Thanks in advance. 

DNS Problems after Domain Rename

September 2, 2016, 1:00 pm
$
0
0

I have a server 2008 environment and I had to rename the domain.  I followed the rename instructions in this video https://www.youtube.com/watch?v=RwXyi1_UDWo.  Everything completed with no errors but I am have issues with DNS.  The domain started out as domain.org and I changed it to domain.local.  After going through all of the steps the server is listed as server.domain.org but it shows it as part of the domain.local domain, all of the workstations are the same way.  When the workstations login and register with DNS they register in the domain.org zone.  I have changed the primary name of the server to the new domain.  I have changed DHCP to hand out the new domain suffix.  I deleted the told domain DNS ZONE and then the computers do not register with anything at all in DNS.  When I deleted the domain.org DNS zone workstations could not access file shares.  I went through DNS and changed all references to domain.org to domain.local and they keep changing back for the SOA and name servers. I do I get domain.org to go away and everything to start showing under domain.local.  This is a single server environment.  

Any help is appreciated. 

Unable to Join Server to the Domain

September 29, 2016, 3:34 pm
$
0
0

This is driving me freaking nuts I have tried everything. 

09/29/2016 18:28:10:251 NetpDoDomainJoin
09/29/2016 18:28:10:251 NetpMachineValidToJoin: 'TORONTO'
09/29/2016 18:28:10:251 OS Version: 6.2
09/29/2016 18:28:10:251 Build number: 9200 (9200.win8_rtm.120725-1247)
09/29/2016 18:28:10:251 SKU: Windows Server 2012 Standard
09/29/2016 18:28:10:251 Architecture: 64-bit (AMD64)
09/29/2016 18:28:10:251 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
09/29/2016 18:28:10:251 NetpGetLsaPrimaryDomain: status: 0x0
09/29/2016 18:28:10:251 NetpMachineValidToJoin: status: 0x0
09/29/2016 18:28:10:251 NetpJoinDomain
09/29/2016 18:28:10:251 Machine: TORONTO
09/29/2016 18:28:10:251 Domain: lwginc.com
09/29/2016 18:28:10:251 MachineAccountOU: (NULL)
09/29/2016 18:28:10:251 Account: lwginc\pslager
09/29/2016 18:28:10:251 Options: 0x425
09/29/2016 18:28:10:251 NetpLoadParameters: loading registry parameters...
09/29/2016 18:28:10:251 NetpLoadParameters: status: DNSNameResolutionRequired set to '0'
09/29/2016 18:28:10:251 NetpLoadParameters: status: DomainCompatibilityMode set to '1'
09/29/2016 18:28:10:251 NetpLoadParameters: status: 0x0
09/29/2016 18:28:10:251 NetpValidateName: checking to see if 'lwginc.com' is valid as type 3 name
09/29/2016 18:28:10:610 NetpCheckDomainNameIsValid [ Exists ] for 'lwginc.com' returned 0x0
09/29/2016 18:28:10:610 NetpValidateName: name 'lwginc.com' is valid for type 3
09/29/2016 18:28:10:610 NetpDsGetDcName: trying to find DC in domain 'lwginc.com', flags: 0x1020
09/29/2016 18:28:14:534 NetpDsGetDcName: failed to find a DC having account 'TORONTO$': 0x525, last error is 0x0
09/29/2016 18:28:14:659 NetpLoadParameters: loading registry parameters...
09/29/2016 18:28:14:659 NetpLoadParameters: status: DNSNameResolutionRequired set to '0'
09/29/2016 18:28:14:659 NetpLoadParameters: status: DomainCompatibilityMode set to '1'
09/29/2016 18:28:14:659 NetpLoadParameters: status: 0x0
09/29/2016 18:28:14:659 NetpDsGetDcName: found DC '\\DC2012.LWGINC.COM' in the specified domain
09/29/2016 18:28:14:659 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
09/29/2016 18:28:14:659 NetpDisableIDNEncoding: using FQDN LWGINC.COM from dcinfo
09/29/2016 18:28:14:659 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'LWGINC.COM' succeeded
09/29/2016 18:28:14:659 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
09/29/2016 18:28:15:191 NetpJoinDomainOnDs: status of connecting to dc '\\DC2012.LWGINC.COM': 0x0
09/29/2016 18:28:15:191 NetpProvisionComputerAccount:
09/29/2016 18:28:15:191 lpDomain: lwginc.com
09/29/2016 18:28:15:191 lpMachineName: TORONTO
09/29/2016 18:28:15:191 lpMachineAccountOU: (NULL)
09/29/2016 18:28:15:191 lpDcName: DC2012.LWGINC.COM
09/29/2016 18:28:15:191 lpDnsHostName: (NULL)
09/29/2016 18:28:15:191 lpMachinePassword: (null)
09/29/2016 18:28:15:191 lpAccount: lwginc\pslager
09/29/2016 18:28:15:191 lpPassword: (non-null)
09/29/2016 18:28:15:191 dwJoinOptions: 0x425
09/29/2016 18:28:15:191 dwOptions: 0x40000003
09/29/2016 18:28:15:520 NetpLdapBind: Verified minimum encryption strength on DC2012.LWGINC.COM: 0x0
09/29/2016 18:28:15:520 NetpLdapGetLsaPrimaryDomain: reading domain data
09/29/2016 18:28:15:520 NetpGetNCData: Reading NC data
09/29/2016 18:28:15:551 NetpGetDomainData: Lookup domain data for: DC=LWGINC,DC=com
09/29/2016 18:28:15:582 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=LWGINC,DC=com
09/29/2016 18:28:15:629 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
09/29/2016 18:28:15:817 NetpCheckForDomainSIDCollision: returning 0x0(0).


How to assign an ID card to a (Active Directory) user account

September 30, 2016, 12:12 am
$
0
0

Hello,

i am trying to set up an ID card login for my Windows Server 2012R2. How do I assign these ID cards (should be MIFARE Standard 1kB and are not able to have certificates and just hand over an ID)? I have an Active Directory. Unfortunately i don't have the option to use Microsoft Identity Manager to do that.

I have already done some resarch but still have no clue where to try.

Thanks, 

Melanie


Search

AD LDS (ADAM) don't sync mail enabled groups

September 27, 2016, 6:23 am
$
0
0

Hello everyone,

there is AD build on Windows Server 2012 R2. From that AD the other server (same OS) placed at DMZ should be syncing users,groups,OUs to its LDS database.

Users are synced properly.
OUs are synced properly.

But only GROUPS created in AD (without mail address) are synced. The mail-enabled groups are not synced. It doesn't matter if groups is global or universal.

What is our last idea, to be tested, if the situation gets better after we extend LDS schema....

Does any of you met similar issue, or do you have ideas?

Thank you !


my CA and SHA1 certs

September 29, 2016, 12:02 pm

DC replication issue?

September 27, 2016, 9:58 am
$
0
0

Hi All,

We've been recently experiencing logging in issues (trust relationship missing and usernames disappearing or not syncing across DC's).

I've decided to investigate and started with running dcdiag. I've attached the results. Help where to begin sorting this out would be appreciated ! :)

Not sure how to copy and paste the results. If you can help with that as well.


I can't extend Exchange Schema in AD server

September 26, 2016, 2:21 am
$
0
0

Dear Support Team

We have AD on premise and Exchange on O365 & we would like to put a restriction that only selected user should be able to send mail to all group. For that we have discussed with O365 team whereby Mr. Hardik / Anna has advised that there is some issue with Exchange Schema; So we have downloaded " Exchange2010-SP1-X64.exe" tool but its giving an error or unable to extend completely.

So we request your intervention to resolve this issue as earliest as it pending from long time.

ADAMSYNC- Constraint Violation

September 27, 2016, 9:52 am
$
0
0

I am working on a Multi Domain AD LDS setup.  I have it almost done, four domains out of five are sync'd.  My last domain, I have this error in my log below.  Many, Many, Many users have been sync'd succesfully before this user.  This appears to be the last user to sync in this OU, as there are roughly 30 other users already sync'd.  

Anyone have an idea? I cant find to much out in the Internets.

A constraint violation occured when attempting to add target object CN=Joe,OU=Associates,OU=Users,OU=People,DC=LastDomain-Com,DC=CUCM,DC=Local.

This could be due to a schema mismatch. This must be fixed before

synchronization can continue.

Ldap error occured. ldap_add_sWC: Constraint Violation. 

Extended Info: 000021C8: AtrErr: DSID-03200BF3, #1:
0: 000021C8: DSID-03200BF3, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)
.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>