Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Issues with long running clients and IIS-based application

October 5, 2016, 6:40 am
$
0
0

I am currently trying to identify the source of intermittent issues being experienced by "always on" clients when connecting to an IIS-supported web application.  While logged in as Windows 7/64 domain clients, and authenticated to the IIS-supported application, they experience the data being fed to the IIS application "stalling"but remain connected to the application. (i.e. they aren't kicked out of the application, the data in the app just stops updating)  This problem can be fixed by logging out and logging back in to the application.  I haven't had success with internal IT staff diagnosing the issue at the application level (they insist everything is OK and reboot is the solution) so I thought I'd reach out here for ideas as to where to start looking.  The problem seems most notable when the clients are running overnight, but it has occurred at other times throughout the day.  I was starting from the user account and moving forward and thought I would see if there are config elements within AD that I need to have my IT staff review.  Is something changing due to a overnight reboot of domain controller hardware? we have multiple DC environment.

Any thoughts are appreciated very much.

Search

Logonserver script

October 4, 2016, 10:39 pm
$
0
0

Hi All,

Would like to ask if it's possible to create a logon script like, if the computer/user has an ip segmet of 10.10.x.x then the logonserver for this user will be on DC1 and if ip segment of user is 10.40.x.x then the logonserver for this user will be on DC2.

Is that possible?

Thank you!

Sid History removal from 2007

October 5, 2016, 6:56 am
$
0
0

Hi, Guys 

In my DC i'm noticing some groups with SID History, one of our application is trying to reach out to a  SID ( which ended up being the sid history attribute)  causing unnecessary  event logs.  I wasn't here when the migration process happened, it  was completed in 2007. So I think its safe to remove the SID history attribute. 

What's your guys thoughts? 

Thanks

LDAP queries fail on Windows 2012 domain controller running 2008 forest level

October 4, 2016, 2:23 pm
$
0
0

We have a lab domain where all LDAP queries fail with invalid credentials.  Domain controller is Windows 2012 with Windows 2008 forest level.  We've tried many different ways and they all fail.  The passwords are right and the accounts are not locked out.  We have searched the web for answers and tried many fixes.

We get the following error from various tools:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C9, comment: AcceptSecurityContext error, data 5, v23f0]

The data 5 error is not an error we find listed anywhere.  All of the error codes are 5xx and not just a single digit.  Ideas anyone?

Site and services couple of questions

October 5, 2016, 7:31 am
$
0
0

Hi,
I am doing some AD troubleshooting... have some questions.

1. in AD Sites and services with multiple Sites that have DCs in many of them there are no NTDS Settings object in most of the sites with DCs (see pic)
is it normal?  My sites with DCs do have NDTS Settings.

2. When right click on NTDS Settings object, there is a menu with options "Replicate Configuration from the selected DC" and  "Replicate Configuration to the selected DC" in 2 of my sites.
However there is a site with the menu without these options on NTDS Settings object. (Menu: New AD Domain services connection, Find etc )

Why the menus are different?

Thanks.

The pic for question 1:

--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

Can Windows 2016 domain controller join to Windows 2003 active directory?

October 5, 2016, 11:11 am
$
0
0

I was searching the internet how to upgrade Windows 2003 active directory to Windows 2016 but I couldn't find any documents.

Can Windows 2016 DC join to Windows 2003 active directory?

How to find a what computer a service account with the wrong password is logging into

October 5, 2016, 10:41 am
$
0
0
We have a service account that various copiers and "services" use in ad.  The problem is that one of these devices keeps locking the account because it has the wrong password.  Is there an easy way in the audit log to find which machine is the culprit? 

DNS Problems after Domain Rename

September 2, 2016, 1:00 pm
$
0
0

I have a server 2008 environment and I had to rename the domain.  I followed the rename instructions in this video https://www.youtube.com/watch?v=RwXyi1_UDWo.  Everything completed with no errors but I am have issues with DNS.  The domain started out as domain.org and I changed it to domain.local.  After going through all of the steps the server is listed as server.domain.org but it shows it as part of the domain.local domain, all of the workstations are the same way.  When the workstations login and register with DNS they register in the domain.org zone.  I have changed the primary name of the server to the new domain.  I have changed DHCP to hand out the new domain suffix.  I deleted the told domain DNS ZONE and then the computers do not register with anything at all in DNS.  When I deleted the domain.org DNS zone workstations could not access file shares.  I went through DNS and changed all references to domain.org to domain.local and they keep changing back for the SOA and name servers. I do I get domain.org to go away and everything to start showing under domain.local.  This is a single server environment.  

Any help is appreciated. 

Search

Last error: 8457 (0x2109): The destination server is currently rejecting replication requests.

October 18, 2010, 7:43 am
$
0
0

My replications are not working properly, I have ran repadmin /showrepl and this produces the below result can anybosy help for this.

 

Repadmin: running command /showrepl against full DC localhost

Default-First-Site\ABCFILE10

DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

Site Options: (none)

DSA object GUID: f028fefc-3c33-45cb-bd5b-1af941257eb4

DSA invocationID: a25e775c-d34d-4e8c-8e5f-50d6a8d80117

 

==== INBOUND NEIGHBORS ======================================

 

DC=penzanceco,DC=local

    Walker\ABCFILE2 via RPC

        DSA object GUID: 7492f21f-d251-40c1-bc21-7a36940b8eb0

        Last attempt @ 2010-10-18 10:26:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        41 consecutive failure(s).

        Last success @ 2010-10-12 20:09:35.

    Default-First-Site\ABCPRINT via RPC

        DSA object GUID: 3b3ee4aa-7420-4ca9-af9d-790301726088

        Last attempt @ 2010-10-18 10:40:17 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        826 consecutive failure(s).

        Last success @ 2010-10-12 20:29:10.

 

CN=Configuration,DC=penzanceco,DC=local

    Default-First-Site\ABCPRINT via RPC

        DSA object GUID: 3b3ee4aa-7420-4ca9-af9d-790301726088

        Last attempt @ 2010-10-18 09:56:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        14 consecutive failure(s).

        Last success @ 2010-10-12 19:54:35.

    Walker\ABCFILE2 via RPC

        DSA object GUID: 7492f21f-d251-40c1-bc21-7a36940b8eb0

        Last attempt @ 2010-10-18 10:26:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        42 consecutive failure(s).

        Last success @ 2010-10-12 20:09:35.

 

CN=Schema,CN=Configuration,DC=penzanceco,DC=local

    Default-First-Site\ABCPRINT via RPC

        DSA object GUID: 3b3ee4aa-7420-4ca9-af9d-790301726088

        Last attempt @ 2010-10-18 09:56:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        13 consecutive failure(s).

        Last success @ 2010-10-12 19:54:35.

    Walker\ABCFILE2 via RPC

        DSA object GUID: 7492f21f-d251-40c1-bc21-7a36940b8eb0

        Last attempt @ 2010-10-18 10:26:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        42 consecutive failure(s).

        Last success @ 2010-10-12 20:09:35.

 

DC=ForestDnsZones,DC=penzanceco,DC=local

    Default-First-Site\ABCPRINT via RPC

        DSA object GUID: 3b3ee4aa-7420-4ca9-af9d-790301726088

        Last attempt @ 2010-10-18 09:56:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        13 consecutive failure(s).

        Last success @ 2010-10-12 19:54:35.

    Walker\ABCFILE2 via RPC

        DSA object GUID: 7492f21f-d251-40c1-bc21-7a36940b8eb0

        Last attempt @ 2010-10-18 10:26:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        38 consecutive failure(s).

        Last success @ 2010-10-12 20:09:35.

 

DC=DomainDnsZones,DC=penzanceco,DC=local

    Default-First-Site\ABCPRINT via RPC

        DSA object GUID: 3b3ee4aa-7420-4ca9-af9d-790301726088

        Last attempt @ 2010-10-18 09:56:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        13 consecutive failure(s).

        Last success @ 2010-10-12 19:54:35.

    Walker\ABCFILE2 via RPC

        DSA object GUID: 7492f21f-d251-40c1-bc21-7a36940b8eb0

        Last attempt @ 2010-10-18 10:26:23 failed, result 8457 (0x2109):

            The destination server is currently rejecting replication requests.

        42 consecutive failure(s).

        Last success @ 2010-10-12 20:09:35.

 

Source: Default-First-Site\ABCPRINT

******* 808 CONSECUTIVE FAILURES since 2010-10-12 20:29:10

Last error: 8457 (0x2109):

            The destination server is currently rejecting replication requests.

 

Source: Walker\ABCFILE2

******* 42 CONSECUTIVE FAILURES since 2010-10-12 20:09:35

Last error: 8457 (0x2109):

            The destination server is currently rejecting replication requests.

 

 

Task Scheduler logon failure error using gMSA

October 5, 2016, 8:55 pm
$
0
0

I have a domain controller running Server 2012 R2, and am trying to get a task scheduler event to run using a gMSA on it. I've created group Managed Service Account (gMSA) using the steps located at https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/. However, when I try to run the task scheduler the following error is generated in Event Viewer:Failure occurred in "LogonUserExEx" . User Action: Ensure the credentials for the task are correctly specified. Additional Data: Error Value: 2147943726. I ran the commandTest-ADserviceAccount -Identity gmsaAccount$ and the result is True so it appears that the account is working. I have verified the gMSA account is configured withLog on as a batch job in the Local Security Policy. Any help on what could be the cause of my issue would be greatly appreciated.

Thanks,
EJ

AD Full Forest Restore

October 6, 2016, 4:33 am
$
0
0

Hi,

 I'm looking at making some schema changes for Microsoft LAPS which looks straight forward enough. To get this past change control I need a roll back\roll out plan. From reading the only way really to deal with a schema change that's gone wrong is to perform a full forest recovery, which sounds a bit painful (https://blogs.technet.microsoft.com/askpfeplat/2012/05/28/best-practices-for-implementing-schema-updates-or-how-i-learned-to-stop-worrying-and-love-the-forest-recovery/)

Furthermore, the only official documentation from Ms I've found on this is for Server 2003, not 2008. My environment consists of around 5000 users, 100+ servers, Exchange, SCCM and the usual stuff you'd expect to see in an organisation with multiple sites.

1. Whats the official way to do an AD forest restore (a link with detailed steps would be appreciated)?

2. An alternative approach I'm thinking of is:

A. Powering off all DCs.

B. Taking a snapshot of my PDC and schema master as they're switched off. 
B1. Power on the PDC and schema master.
B2. Test my change.
B3. If working, then power on all servers.
B4. If not working, then restore the servers in B via snapshot.

I realise that some services will be unavailable at 2am for a period of time, which isn't ideal.

What's the recommended approach?


IT Support/Everything

_msdcs folder in DNS

October 6, 2016, 10:08 am
$
0
0

We have an old DC in the _msdcs subfolder of our domain.com zone. it contained a record for a long since removed DC and only that server was listed. It was also listed with the timestamp of static. This was revealed by running a DCDIAG /test:dns which showed a glue record error for domain.com. 

I added the DC's of our domain to it manually for now. But, shouldn't this folder be updated automatically as DCs are promoted and demoted? If so, how do I configure it to update automatically?

We also have a domain _msdcs.domain.com and it contains all the records of our current DCs along with sub folders for dc, domains, gc and pdc. It appears to be updating automatically as the recent promotion of a new DC and demotion of an older DC


DFS Replication Role

October 6, 2016, 3:24 am
$
0
0

Hello,
I'm writing to ask a question regarding DFS Replication role on Domain Controller (Windows Server 2008 R2or Windows Server 2012 R2).

After a server is promoted as Domain Controller, this is what I see regarding File and Storage Services:

DFS Replication Not Installed

The DFS Replication it is not installed.
Now I have a Domain Controller where DFS Replication was installed (manually). My question is: what will happen if I remove DFS Replication role ? Does the DC continue to work ?

Thank you,
Luca

Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

new to AD - question about local administrator permission

October 6, 2016, 8:46 am
$
0
0

Hello, i am having some trouble with consistent local administrator access. I am new to AD and can use some help to determine how/why on some PC's my user account appears to have local admin access, and on other pc's it does not. I am a member of the "desktop admins" group in ad. And on computer A and B, that group is added to the local administrator group. However on computer A, when I run a command prompt, it shows Administrator: but on computer B, it does not.

My goal is to use a batch/script in SCCM Task Sequence to copy an icon from a unc path to c:\users\public\desktop, but the task keeps failing because I need to provide local admin access to write to the public desktop.

Sorry if this is kind of vague and doesnt make much sense.

MFA SMS gateway

October 6, 2016, 10:33 am
$
0
0

Hi all,

Can you please is a small query. 

Does Azure MFA Server on-premise installation needs a sms gateway to be installed and configured on-premise or sms will be routed through Azure Service only.

Search

How To Find Out If The Computer Account(s) Is Active?

October 6, 2016, 12:12 pm
$
0
0

Similar with AD User Account Last Logon, is there a way to find out AD computer accounts last active? I have about 132 computer accounts in question that I am not sure if these accounts are good.

This is multiple domains, I know some servers are already decommissioned but accounts are not deleted from AD yet. In other words, server is online, its AD account is active, and it's NOT in production. I need to find out its last activity so I can escalate to the responsible person to shut it down and clean up in AD, thanks.

Thang Mo

Integration with Succesfactor group assignment?

October 6, 2016, 12:52 pm
$
0
0

Hello All,

Please guide me is it possible to map AD group to SUccesfactor groups.

Example:

There is group in AD called ACCESS and same permission group is created in Succesfactor for which user authentication source is  AD.

I want if I assign group ACCESS to user MAT in AD same group must be assigned to MAT in Succesfactor.

Thanks,

TB

Domain name Change

September 29, 2016, 1:45 pm
$
0
0

Hello Everyone,

To meet the company expansion, my manager is asking me to work on new project that changing the domain name from "ABC" to "XYZ.LOCAL" or "XYZ.COM"

Since our company has public access with the website name XYZ.COM (hosted by our vendor).  

Will it cause any issue if I change our network domain name to "XYZ.COM"?

Some online article also say it's better to have network domain name like "something.XYZ.COM", what is the best practice to have domain name and why?

What I need to looks for when changing the domain name? 

FYI, I'm currently running on 2012 DC.

Regards,

Key

Fine Grained Password Policy-Password expiration reminder frequency and custom message

October 5, 2016, 11:24 pm
$
0
0

Dear all,

We have a fine grain password policy implemented in our domain and it is working as expected.

We have observed that password change reminder balloon message stays for few seconds less that 5 sec and most of the it is getting ignored by users and creating problem.

With FGPP - is it possible to increase time of reminder message and can we put our Custom message.

in-short we are looking setting for Interactive Logon Prompt which will display password change notification.

-Atul


TheAtulA

users can't change expired password.

October 5, 2016, 4:26 am
$
0
0

HI.
Some  users in my company cant change their password after expiration. When trying, system returns informatin that there is no server avaliable to change passwords. We have AD domain on 2012 R2 servers and Windows 10 clients. Everything was working ok until last month.   Of course, there is about 4 AD contrloers avaliable in lan and via ipsec tunnels. How can i diagnose the problem? 


Viewing all 31638 articles
Browse latest View live
Search