Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

The advanced page cannot be opened because of following error; the server is not operational

November 20, 2016, 11:05 pm
$
0
0

Hi MS server Team

Please help me

I have one file server which is Microsoft Windows Server 2008 R2 Standard Edition and 2 Active Directory which is Microsoft Windows Server 2012 R2 implemented by Primary AD and Secondary AD.

File Server 2008 R2 is Member of Active directory then I would like to give users permission on shared folder on such as example

mmm Folder>Properties>Security>Add>Advance (to set user name) but it's show as following ;

The advanced page cannot be opened because of following error; the server is not operational

Search

Active directory

November 20, 2016, 2:11 pm
$
0
0
I have a single server domain controller that has been functioning perfectly for 3 years. Recently I tried adding some new users and new workstations and could not. These worked just days prior to this. Today I can’t even click to open Active Directory users and computers. I am getting an error stating that naming information cannot be located. I have checked DNS and it appears to be working and configured correctly. I have did dcdiag and had errors. I have attached the output from this below. I would appreciate any advice I get. If further information is needed please let me know so I can add to this post.
I noticed that replication has failed between my server and another server. This server was taken out a couple years back

Thanks In Advance.

dcdiag --

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Users\administrator.KAJURMAINOFFICE>dcdiag
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = KAJUR-SRV-PDC
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site\KAJUR-SRV-PDC
      Starting test: Connectivity
         ......................... KAJUR-SRV-PDC passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site\KAJUR-SRV-PDC
      Starting test: Advertising
         Fatal Error:DsGetDcName (KAJUR-SRV-PDC) call failed, error 1355
         The Locator could not find the server.
         ......................... KAJUR-SRV-PDC failed test Advertising
      Starting test: FrsEvent
         ......................... KAJUR-SRV-PDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... KAJUR-SRV-PDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... KAJUR-SRV-PDC passed test SysVolCheck
      Starting test: KccEvent
         An error event occurred.  EventID: 0xC0000466
            Time Generated: 11/21/2016   09:22:45
            Event String:
            Active Directory Domain Services was unable to establish a connectio
n with the global catalog.
         A warning event occurred.  EventID: 0x8000082C
            Time Generated: 11/21/2016   09:22:45
            Event String:
         A warning event occurred.  EventID: 0x8000082C
            Time Generated: 11/21/2016   09:23:09
            Event String:
         ......................... KAJUR-SRV-PDC failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... KAJUR-SRV-PDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... KAJUR-SRV-PDC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... KAJUR-SRV-PDC passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\KAJUR-SRV-PDC\netlogon)
         [KAJUR-SRV-PDC] An net use or LsaPolicy operation failed with error
         67, The network name cannot be found..
         ......................... KAJUR-SRV-PDC failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... KAJUR-SRV-PDC passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,KAJUR-SRV-PDC] A recent replication attempt
         failed:
            From DELLSERVER to KAJUR-SRV-PDC
            Naming Context: DC=ForestDnsZones,DC=KajurMainOffice,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2016-11-21 08:59:23.
            The last success occurred at 2014-03-14 15:55:58.
            23443 failures have occurred since the last success.
         [DELLSERVER] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,KAJUR-SRV-PDC] A recent replication attempt
         failed:
            From DELLSERVER to KAJUR-SRV-PDC
            Naming Context: DC=DomainDnsZones,DC=KajurMainOffice,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2016-11-21 08:59:23.
            The last success occurred at 2014-03-14 15:55:58.
            23445 failures have occurred since the last success.
         [Replications Check,KAJUR-SRV-PDC] A recent replication attempt
         failed:
            From DELLSERVER to KAJUR-SRV-PDC
            Naming Context:
            CN=Schema,CN=Configuration,DC=KajurMainOffice,DC=local
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
            The failure occurred at 2016-11-21 08:59:51.
            The last success occurred at 2014-03-14 15:55:58.
            23458 failures have occurred since the last success.
            The guid-based DNS name
            2d0536d4-3559-4905-bfdd-1d8ca2f3d776._msdcs.KajurMainOffice.local
            is not registered on one or more DNS servers.
         [Replications Check,KAJUR-SRV-PDC] A recent replication attempt
         failed:
            From DELLSERVER to KAJUR-SRV-PDC
            Naming Context: CN=Configuration,DC=KajurMainOffice,DC=local
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
            The failure occurred at 2016-11-21 08:59:37.
            The last success occurred at 2014-03-14 15:55:57.
            23430 failures have occurred since the last success.
            The guid-based DNS name
            2d0536d4-3559-4905-bfdd-1d8ca2f3d776._msdcs.KajurMainOffice.local
            is not registered on one or more DNS servers.
         [Replications Check,KAJUR-SRV-PDC] A recent replication attempt
         failed:
            From DELLSERVER to KAJUR-SRV-PDC
            Naming Context: DC=KajurMainOffice,DC=local
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
            The failure occurred at 2016-11-21 08:59:23.
            The last success occurred at 2014-03-14 15:55:58.
            23447 failures have occurred since the last success.
            The guid-based DNS name
            2d0536d4-3559-4905-bfdd-1d8ca2f3d776._msdcs.KajurMainOffice.local
            is not registered on one or more DNS servers.
         ......................... KAJUR-SRV-PDC failed test Replications
      Starting test: RidManager
         The DS has corrupt data: rIDPreviousAllocationPool value is not valid
         No rids allocated -- please check eventlog.
         ......................... KAJUR-SRV-PDC failed test RidManager
      Starting test: Services
            NtFrs Service is stopped on [KAJUR-SRV-PDC]
            Invalid service type: LanmanServer on KAJUR-SRV-PDC, current value
            WIN32_SHARE_PROCESS, expected value WIN32_SHARE_PROCESS
         ......................... KAJUR-SRV-PDC failed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   08:37:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   08:42:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   08:47:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   08:52:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   08:57:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   09:02:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   09:07:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   09:12:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   09:17:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 11/21/2016   09:18:00
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   09:22:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   09:27:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 11/21/2016   09:32:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         ......................... KAJUR-SRV-PDC failed test SystemLog
      Starting test: VerifyReferences
         ......................... KAJUR-SRV-PDC passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   Running partition tests on : KajurMainOffice
      Starting test: CheckSDRefDom
         ......................... KajurMainOffice passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... KajurMainOffice passed test
         CrossRefValidation
   Running enterprise tests on : KajurMainOffice.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... KajurMainOffice.local failed test
         LocatorCheck
      Starting test: Intersite
         ......................... KajurMainOffice.local passed test Intersite
C:\Users\administrator.KAJURMAINOFFICE>

One FrontEnd for multiple active directory servers

November 19, 2016, 10:03 am
$
0
0

Hello

I want to know what kind of solution can give me a light in the need of a customer.

Customer has 5 active directory servers in different locations and forests.

He wants to have one server who handle all auth requests and query server by server (from the 5 servers mentioned above) 

the main idea is to configure one .net application to ask for auth only in one server (the frontend)

Thank you!

CJ


rpc server is missing

November 19, 2016, 8:02 am
$
0
0
i am using the group policy results in the forest:adatun.com when i try to create new go results i am choosing a computer but it tells me i cant use it becuase ethier the wmi is off in the local computer or rpc server is down, i turned off the firewall in both computer so the rpc could use the ports he needed and i add the domain administrator to the security root just like it was explained here https://technet.microsoft.com/en-us/library/cc771551(v=ws.11).aspx but the error keeps coming back what should i do, and adding the client computer to server manger would help?

Active DIrectory Migration FAQ quetsion from user

November 18, 2016, 3:56 am
$
0
0

Dear team,

Please somebody help to get FAQ from the User on active directory migration. 

Regards,

Hebbar

Powershell move-ADObject questions

November 18, 2016, 6:31 am
$
0
0

Hi,

I have some questions about the using this cmdlet in Powershell.

I know that in order to move objects in AD you need to have rights to delete and create objects, but what I would like to understand is the process of deleting before creating.

Is the current information from the object copied before the object is deleted? If so, is the new object created with the information obtained previously?

Does this cmdlet checks for users permissions on the new (destination) OU before deleting the object?

What happens if the user doesn't have wrights to create the object in the destination OU? If it is a computer object, will this computer need to be rejoined the domain?

Thanks,

Approach to restore AD before a bulk modifications if objects

November 18, 2016, 1:31 am
$
0
0

Hi Guys,

Just want to get your advise the best approach on restoring the AD. We will be doing a bulk modification on 8K users and one of the requirements is making sure to have a plan in place to backup the AD so that we have a way to restore it case we mess up with the AD.

We  are using Sysmantec Netbackup to all Domain Controllers.

My question is restoring the DC from Netbackup System State is the best way? Because it looks like we are doing a full recovery of Domain Controller it self.

Hoping you can give me an easiest approach.

Thanks,

Opensource Tools for Account unlock

November 21, 2016, 9:40 am
$
0
0

Hi All,

 Is there is any opensource tool for unlocking or resetting password for domain accounts?

Search

Group policy to disable Shift+Delete on all windows 7 cleints

November 21, 2016, 4:52 am
$
0
0

Hi,

On windows 2012 server with active directory.

we would like to have a policy which will not allow user to use shift+delete in any desktop.

purpose is to avoid accidently deletion of file from users (don't want to allow users to delete any file from a client machine)

Regards,

Lakshmikanth

sid history fileserver resource access via ad groups access denied

November 21, 2016, 6:27 am
$
0
0

hi

we plan to migrate our root domain/sub domain setup to one central ad forest

we want to use sid history to access shares in the old forest from new forest

atm the shares are configured:

FileShareA:

Domain Admins -> Full Access
System -> Full Access
AD Group with Users -> Change

We did a Test and created a new User in the New Forest and added the SID of a User from Source Forest to the Sidhistory Field...

The Source User is in many AD Groups to Access different Shares in the Source Forest, but the Target Forest User cannot Access these Shares "gets Access Denied"

If we put the Source User direct on a Share without a AD Group the Access works from the Target User using Sid History.

Now the Question is does Sid History works with Ad Groups on Resources? i tryd all Scopes Local,Global,Universal it doesnt matter only when i add the User direct to the Share it works.

thanks

harald

Is there any standard MS solution could generate the machine number on specified OU longer than certain days

November 14, 2016, 10:52 pm
$
0
0
 Is there any standard MS solution could generate the machine number on specified OU longer than certain days

Account continues to lockout after password change

November 16, 2016, 12:13 pm
$
0
0
We appear to have a Directory Services issue.  We have Win 2012 AD Domain with ADFS.  On a few accounts, once the password has been reset by an Admin through AD Users and computers, the account will from that point constantly lockout, if you unlock the account, 2 minutes later it is locked again.  The account is not used for any Windows Services or process, but we have yet been able to find where the "bad password" is coming from.  Ideas?

AD migration

November 16, 2016, 11:04 pm
$
0
0

Hello all,

i have one question, i will do group and user migration from one domain another domain, but there is no impact to user to login to old domain right. user and group migration will not impact any user day to day activity on old domain?

 only if i do computer migration then user has to use the new domain name for computer login.

windows clients try to connect domain controller in different site

November 17, 2016, 12:33 am
$
0
0

Hello;

I've 2 sites.

All subnets are configured properly.

All nltest commands returns correct answer.

SRV records of dns servers are point the correct domain controllers in sites.

In spite of all bullets above, firewall logs show that client computers tries to access domain controller(s) in different site via 443.

When I ping domain name from client, client (or DNS) response the remote DC ip.

My recommendation is that clients mustn't send requests to remote DC. I mean there mustn't be such a necessity.

I am not be able identify which application and why client wants to connect to the remote DC.

I need to your analyze suggestions.

Regards

Tirelibirefe

Domain migration in DHCP envirornment

November 25, 2016, 1:28 am
$
0
0

Dear All,

I have DHCP enabled in Source domain, if i migrate the computer without migrating the DHCP, '

Shall i face any issue? how client will take the IP. 

i dont have DHCp enbaled in my Target domain.

Search

ldaps

November 5, 2016, 5:10 am
$
0
0
Hi,

I am trying to load balance ldap . 

I have an internal CA 

I have a load balancer  f5 with ssl offloading (Virtual Server listening on 686 => DC's listening on 389)

domain test.local

and a forward zone  test.com , so internal users can reach the test.com website through private local ip address


I will do a csr for ldap.test.local , so f5 will create a key 

I will submit the csr local internal ca ,so which certificate template must be chosen ? (Administrator ,user ,webserver ....)

Do I need to import the root certificate to F5 ,

And Once certificate generated , What are required for ldap5 on application server 

Thanks


Link to download AD LDS for Windows Vista is not avaialble any more

November 25, 2016, 6:54 am
$
0
0

We used the following link to download AD LDS for Windows Vista, however today we've discovered that it is not available any more: http://www.microsoft.com/downloads/details.aspx?FamilyID=E1B7F0A5-2131-44FD-9DDE-FA146154E13A. The page is redirected to the following error page: https://www.microsoft.com/library/errorpages/smarterror.aspx.

Where can we download AD LDS for Vista? We still have a couple of customers who ruin their instances on this version of Windows.

BTW, the link is still present in Bing and Google cache.

Windows Active Directory Custom Schema Attributes

November 16, 2016, 8:23 am
$
0
0

Hi friends


Will try to explain the situation to the best of my knowledge.


Client: Comercial Bank

Users: 3000+

Domain Controllers (5) due to 3 Sites (Primary/Secondary and DR)

Infrastructure 95% Virtualized with exceptions: 1 Physical DC / Backup Server and 4 other servers related to Core Bank Apps

Hypervisor: ESXI 5.5

OS: Windows 2008 R2 and 2012 R2


1 DC is a Windows 2012 R2 all others are Windows 2008 R2.

The Windows 2012 R2 is the FSMO Roles Holder and it is a Physical Server


If you need more info please ask.


The subject:

4 Custom Attributes where created in 2013, these atributes correspond to Date of Admission / Date of Birth / Date of Dismiss / Date of Transfer and a Boolean atribute to show weather the user is at the HQ or not.

When These atributes where created they populated the new user accounts and also appeared on the accounts already in the system, there are several HR scripts running on an app wich populate these attributes when required.

The problem:

Recently (not sure when) these atributes are not replicating or appearing on a few of the user accounts, and it has reached a level of concern due to HR not been able to report correclty when a employee has been hired for exemple.

I thought this was a Configuration issue at first, ruled that out, then i researched on the replicating the schema and cheked for replication issues, ruled that out as well, created a few new users and none have the custom atributes associated with their accounts, and several other troubleshooting steps.

What i have done so far:

1. Registry key to "allow schema updates"

2. MMC and modify the atribue to contain the option "Replicate this atribute to the Global catalogue"

3. Index this Attribute

4. Force Replication

5. Transfered the Schema Master to a Windows 2008 R2 DC, waited 72 hours, nothing happned transfered back to the Windows 2012 R2.

6. Removed a User with the atributes in question and re-created them, the atribute never re-appeared.

7. Created several new users and the atributes dont appear.

8. Removed the custos atributes from the "USER CLASS" waited a couple of hours and re-added them on the hope of a schema replication would check the change and re-sync the user objects.


not sure what i am missing...

I can see the custom atributes on all 5 DCs, if i amke a change to them i can see the change replicated to other DCs.

I need these atributes to register with the end users so the HR software can populate them properly.

Can someone help me please?


Thanks for your time

Rui

Active Directory Backups

November 25, 2016, 3:10 am
$
0
0

Hi

When Im backing up my domain controllers, is the system state all i need to be backing up or shoud l I backup up other folder like say documents and settings.Is the system state all that is required to get my DC's backup and running in a restore scenario.

Thanks

 

Logon outisde hours

November 25, 2016, 5:43 am
$
0
0
I have a requirement to check which user is logged on after working hours. is there any way to check who is logged on in a particular group of users, for whom logon hour restriction is implemented.
Viewing all 31638 articles
Browse latest View live
Search