Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Verification of replica failed. The Wizard cannot access the list of domains in the forest

December 28, 2016, 12:53 am
$
0
0

Hello,

I have DC2(MBDC), and DC1. The DC2 was the primary domain controller and was holding the DNS, AD DS, and DHCP, the operating system of DC2 was Win 2008. The DC2 was damaged due to electricity shortage. I sized the FSMO roles in DC1 and then transferred the roles to DC1, DC1 already was a the alternate DNS.

Now the AD is not connecting in Exchange server 2007 (mail.macca.org.af), and I am not able to join a new computer to the domain. I have prepared a new server and want to promote it as a domain controller, but I get this message during DCpromo.

Verification of replica failed. The Wizard cannot access the list of domains in the forest. The network path was not found.

Please help.

Thanks,

Zilgai

Search

msDS-UserPasswordExpiryTimeComputed returning "01.01.1601 01:00:00" for most users

January 5, 2017, 5:42 am
$
0
0

Good Day!

I've just noticed that this command:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}} | CLIP

returns lines like that for most of my users:

DisplaynameExpiryDate                                                                
---------------------                                                                
FirstName Givenname01.01.1601 01:00:00  

With "most" i mean almost all of them. Only Exceptions are User with Domain- Admin rights and two (imo) random users.

Logon and such works as always.

I can't imagine what could have caused this. I've been playing around with our password-expiration-reminder script but i wouldn't know how it could be the reason.

The Attribute "pwdlastset" is fine for alle users. 

Reseting the Password over ADUC creates a "right" msDS-UserPasswordExpiryTimeComputed value.

Do you have any idea what causes this?

Thanks!


Cannot remove user from AD, access is denied

January 4, 2017, 4:24 am
$
0
0

I'm trying to remove a user from our AD using Adsiedit but I get this error:

Operation failed. Error code: 0x5 Access is denied.
00000005: SecErr:DSID-031A1256, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

I removed all permissions, made myself owner and gave myself full permissions but still same error.

Somehow the user is messed up because it isn't visible in Users and Computers. When I check the account properties I also noticed that the sAMAccountType is 805306370 (TRUST_ACCOUNT).


RODC promotion fails with While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC

January 6, 2017, 12:55 pm
$
0
0

Trying to fix the issue with one RODC failing with the below error.

While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.

01/06/2017 09:45:14 [INFO] EVENTLOG (Warning): NTDS General / Replication : 1115
Outbound replication has been disabled by the user.

01/06/2017 09:45:14 [INFO] Replicating secrets for Read-only Domain Controller.
01/06/2017 09:45:16 [INFO] Error - While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC. (8639)
01/06/2017 09:45:16 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.



Additional Data

Error value (decimal):
-1073741823

Error value (hex):
c0000001

Internal ID:
3001806

tried, rejoining the computer to domain and retry with no luck. Tried changing the source DC for replication during promotion with no luck. Tried removing all PRP accounts while promoting with no luck. another computer in the same domain , promotion worked perfectly fine. There are no firewalls configured. ANy help appreciated.

MSA Account's password change causes failure to connect to SQL DB

January 8, 2017, 9:12 am
$
0
0

Hey,

I have an MSA account which runs an IIS application pool in my organization.

Seems that every 30 days, when the MSA account automatically resets its password, the site cannot connect to the SQL DB (this DB is located on a different AD Forest, a trust exists).

This is the error : the login is from an untrusted domain and cannot be used with Windows authentication.

Mostly after about 10-15 minutes, the problem resolves itself (maybe the connection reopened, not sure).

1.Is the GAP caused by replication between DCs? as far as I am aware of, when a trust exists, the DB's server should query the DC's of the trusted Domain in case the authentication failed (I could be wrong here), trying to see if the problem is replication here.

2.When the MSA account changes its password, and there is an open connection to the SQL DB, is the connection expected to fail because of the password change? Must I force the IIS application to close the connection and reopen it somehow?

This happens on multiple MSA accounts, on multiple IIS servers, on multiple environments, with different OS, some environments has Server 2008 R2, and some has 2012 R2.

Thank you for your help!

Users are unable to login if one of the domain servers is down

January 11, 2017, 10:52 pm
$
0
0

Hi

I have a windows server 2008 domain with 2 Domain controllers.

Server 1 has Schema,Naming Master, PDC, RID  & Infrastructure Roles.

Server 2 had Global catalog.

I never tested it the other way , server 1 is down and server 2 is up.

If server 2 does not boot then the domain users are unable to login to the domain.

How can I fix it?

Thanks 

Itamar


Itamar

Tool to check Active Directory.

January 11, 2017, 11:39 pm
$
0
0

Hi,

My boss has ask me to search some tool which make diags and look for configuration issues in Active Directory, such as sites without domain controllers, sites without global catalogs, replication problems, DNS issues... and generate some sort of report. He tells me that in Windows 2003 he did it wiht Microsoft Baseline Configuration Analyzer, but I have been searching the web and I don't find any information about it. Not for Windows 2012 and Windows 2012 R2.

Does anybody know any application or tool or way to do this?

Disk Space

January 9, 2017, 11:35 pm
$
0
0

Hi My primary partition size is 100 GB and its almost 95 GB full. 

I need to delete temporary files related to windows. please guide me what files wrt windows can be deleted like temp, prefetch.

Search

Can't log in Windows Server 2012 r2 when the network cable is plug

January 10, 2017, 2:09 am
$
0
0
Hello every body ,
So here’s my problem, I recently made an update for windows 2012 r2 in 4 of my domain controllers. Since there is impossible for me to enter on these computers.
I can’t logon on physically on my servers and neither on rdp. The only way I find is to enter in my windows 2012 r2 server domain controllers is to unplug the network cable before the restart of windows and then I plug the network cable after 5 minutes the restart is completely over.
The problem is don’t find which KB do this kind of thing. Also I have the problem in my physical machines and my virtual servers.
Thanks


Domain users are unable to change or reset password.

January 11, 2017, 11:47 pm
$
0
0

Some of domain users are unable to change or reset password from alt+ctrl+del.. This issue occurs ramdomly. I have have check the Group Policy and all the complexity and length is not defined.

Following errors occurs:

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

What is the main issue..

Thanks in advance..

Mandal Amit

User Directories

January 12, 2017, 12:50 am
$
0
0

Can someone tell me when user directories are created? Are they created when a user logs onto a server or are they created when the user is created in the AD?

We are running 3 terminal servers with Windows Server 2012 R2 and I'm looking to go through old users and remove them.

Computers point to DC in wrong DC Site Name

January 11, 2017, 2:22 am
$
0
0

Hi, everyone.
I have 2 DC on Windows Server 2008R2.
I have only one Domain (domain.local)
Both DC are located in different places.
The first is DC in the Azure Cloud and the second DC at the office.

The problem that clients are not properly determined "DC Site Name" and when sign-in a domain account, Signed in occurs in about 2 minutes in the Azure Cloud and a little faster at the office.
1. I created sites in AD Sites and Services.
2. Moved DC in these sites.
3. Configured subnets on the sites.

OfficeSite=192.168.xxx.x/24
CloudSite=100.71.x.x/16
CloudSite=10.0.0.0/8 - it is VPN subnet, through which the combined local networks.

OFFICEDC=192.168.xxx.x
CLOUDDC=10.71.xx.xx and 10.1.0.xxx

PC at the office. (Defines the wrong site)

C:\Users\user>nltest /DCLIST:domain.local
Get list of DCs in domain 'domain.local' from '\\CLOUDDC.domain.local'.    CLOUDDC.domain.local        [DS] Site: CloudSite      OFFICEDC.domain.local [PDC]  [DS] Site: OfficeSite
The command completed successfully

C:\Users\user>nltest /DSGETSITE
CloudSite
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /KDC           DC: \\CLOUDDC.domain.local      Address: \\100.71.xx.xx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: CloudSite
Our Site Name: CloudSite        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /GC           DC: \\CLOUDDC.domain.local      Address: \\10.1.0.xxx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: CloudSite
Our Site Name: CloudSite        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local           DC: \\CLOUDDC.domain.local      Address: \\100.71.xx.xx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: Cloud-CNF-25dc83cd-f6f3-4731-9cb8-xxxxxxxxxxxx        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FUL
L_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /force           DC: \\CLOUDDC.domain.local      Address: \\100.71.xx.xx     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx     Dom Name: domain.local  Forest Name: domain.local Dc Site Name: CloudSite
Our Site Name: CloudSite        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

The Server in the Azure Cloud. (Defines the wrong site)

C:\Users\user>nltest /DCLIST:domain.local
Get list of DCs in domain 'domain.local' from '\\OFFICEDC.domain.local'.
      OFFICEDC.domain.local [PDC]  [DS] Site: OfficeSite
    CLOUDDC.domain.local        [DS] Site: CloudSite
The command completed successfully

C:\Users\user>nltest /DSGETSITE
OfficeSite
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /KDC
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xxx.x
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /GC
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xxx.x
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /force
           DC: \\OFFICEDC.domain.local
      Address: \\192.168.xxx.x
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: OfficeSite
Our Site Name: OfficeSite
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

The Server in the Azure Cloud. (Defines the right site)

C:\Users\user>nltest /DCLIST:domain.local
Get list of DCs in domain 'domain.local' from '\\CLOUDDC.domain.local'.
    CLOUDDC.domain.local        [DS] Site: CloudSite
      OFFICEDC.domain.local [PDC]  [DS] Site: OfficeSite
The command completed successfully

C:\Users\user>nltest /DSGETSITE
CloudSite
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /KDC
           DC: \\CLOUDDC.domain.local
      Address: \\100.71.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: Cloud-CNF-25dc83cd-f6f3-4731-9cb8-xxxxxxxxxxxx
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FUL
L_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local /GC
           DC: \\CLOUDDC.domain.local
      Address: \\100.71.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: CloudSite
Our Site Name: CloudSite
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully

C:\Users\user>nltest /DSGETDC:domain.local
           DC: \\CLOUDDC.domain.local
      Address: \\100.71.xx.xx
     Dom Guid: ec816caf-e075-4633-b577-xxxxxxxxxxxx
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: Cloud-CNF-25dc83cd-f6f3-4731-9cb8-xxxxxxxxxxxx
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FUL
L_SECRET WS
The command completed successfully


The Server in the Azure Cloud.

C:\Users\User>set logonserver
LOGONSERVER=\\CLOUDDC

Checking replicate.

C:\Users\User>repadmin /showutdvec clouddc dc=domain,dc=local
CachingGUIDs...
CloudSite\CLOUDDC                       @ USN   1770868 @ Time 2016-07-11 14:18:31
OfficeSite\OFFICEDC                        @ USN    958563 @ Time 2016-07-11 14:16:58

OFFICEDC (IP: 192.168.xxx2)

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : D8-CB-8A-5C-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::49xx:xxx7:76x0:439%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.xxx.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.xxx.1
   DHCPv6 IAID . . . . . . . . . . . : 249088906
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-E3-FB-C9-D8-CB-8A-xx-xx-xx

   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.xxx.2
                                       10.1.0.xxx
   Primary WINS Server . . . . . . . : 192.168.xxx.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

CLOUDDC (IP: 100.71.xx.59 and IP: 10.1.0.xxx)
Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : xxxxxxx.d3.internal.xxxxxxx.net
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter #3
   Physical Address. . . . . . . . . : 00-15-5D-E0-xx-xx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::558c:cb94:32xx:x8x4%23(Preferred)
   IPv4 Address. . . . . . . . . . . : 100.71.xx.59(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Saturday, March 26, 2016 11:07:33 AM
   Lease Expires . . . . . . . . . . : Thursday, August 17, 2152 8:59:47 PM
   Default Gateway . . . . . . . . . : 100.71.xx.1
   DHCP Server . . . . . . . . . . . : 100.71.x.218
   DHCPv6 IAID . . . . . . . . . . . : 385881437
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-E3-BA-88-00-15-5D-xx-xx-xx

   DNS Servers . . . . . . . . . . . : 100.71.xx.59
                                       192.168.xxx.2
   Primary WINS Server . . . . . . . : 100.71.xx.59
   NetBIOS over Tcpip. . . . . . . . : Enabled



ADAMSync Aging Error - Unable to push back result

January 12, 2017, 5:34 am
$
0
0

I'm working with Adamsync right now and have no issues syncing between AD DS and AD LDS, but when I enable aging, it always randomly returns an error on a specific object.  The object is never the same between runs and always looks something like this:

Beginning aging run.

Processing target entry <guid=e068b5190d63bb438ee77236643299d9>
20161128223656.0Z was when we last saw CN=Test\0ACNF:19b568e0-630d-43bb-8ee7-7236643299d9,

Renaming target object (implicit) CN=Test\0ACNF:19b568e0-630d-43bb-8ee7-7236643299d9
(I stripped out the full DN name)

Conflicting object detected. Requesting rename.

An internal error occurred: unable to push back result.

An internal error occurred: unable to push back result.

Saving Configuration File on

I can delete the conflicting object manually, but the next run it will just run into the same error and the command stops.  I couldn't find additional information regarding the error "unable to push back result."  I'm relatively new to AD LDS, so if someone knows of a quick fix, please let me know!

Jake

Removing permissions to view objects in an OU to Authenticated Users

January 7, 2017, 9:03 am
$
0
0

Hi,

On a OU, I removed the ability for Authenticated Users to List Contents. When checking the effective access, it shows that list-content for my test user is denied.

However if I open an ADUC under the test user, or a powershell command and I do a Get-ADUser on the OU, I am still able to retrieve the user accounts in that OU.

What am I missing ?

Best regards,

Server 2012 not showing AD FS 3.0 not showing network service account to use as service account in Ad FS 3.0 configuration

January 12, 2017, 7:50 am
$
0
0

I am upgrading Adfs 2.0 server 2008 to Adfs 3.0 server 2012 r2. In  server 2008 Adfs service is running under network service, while configuring 3.0 on 2012 i don't get that option. To import the config from adfs 2.0 to 3.0 you must use same user/ service account that you are using for 2.0. 

Please advice either how to change the service account on 2.0 so I could export the config with new account or how to add NT Authority\ network service account to configure Adfs 3.0 on 2012 server. 

Search

LOGON SCRIPT TO ADD PRINTER WITH IF STATEMENT

January 10, 2017, 6:49 am
$
0
0

Hi,

I'm new to the server game so please excuse me if I am not so clear with my question.

I want to create a logon script in windows server 2008, that will add a printer to a profile, only if the current profile does not have the printer already installed on logon. Is this possible?

My reason for asking is if I have a basic logon scripts that adds a particular printer every time on logon, when a user sets the particular printer up to meet their individual preferences, when they next log on they will lose the preferences as the logon script will install the default.

RODC site coverage

January 10, 2017, 4:27 pm
$
0
0

Hi,

Can RODC able to do automatic site coverage ?

Can Server 2016 Nano Server run the AD DS role and run as a Domain Controller?

January 12, 2017, 9:39 am
$
0
0

Hi,

I can run Server 2016 Standard as a Domain Controller, but cant find info if the AD DS role can run on a Nano and if a Nano can serve as a Domain Controller, so does anyone know the status of this?  Havent tried in our lab either?

Thanks for your help! SdeDot

AD 2012 - ACL - Allow on This Object Only takes precedence on Deny on This object and all descendant

January 12, 2017, 10:09 am
$
0
0

Hi,

Following my initial bug where I could not block list content by removing the permission from Authenticated Users, I proceeded to implement the work around provided by Microsoft:

* Create a security group

* Deny the list content to members in the security group.

And here I go on my merry way to create the group and Deny the list content permission to the members of that group. As per the description of the popup, the DENY is supposed to take priority over everything. Well.... apparently not.

I used Deny on This object and all descendant, because lets be honest, who wants to go on 200 OUs to remove the list content permission ? (And I am not yet confident enough to do that operation by scripting and not mess it up). But the user in the group were still able to list the content. Apparently the DENY, in my case, only works if I apply it to This object only.

Has anyone else encountered this issue ? And if so, how did you go around to fixing it or making it work?

Thanks

Problem Joining Computer to a Domain

January 12, 2017, 9:04 am
$
0
0
Hi there,

We have two domain controllers PDC (Primary Domain Controller) and BDC (Backup/Additional Domain Controller) with DHCP roleinstalled and configured as fail-over between these two servers. The DHCP distribute IPs to clients all over the LAN (IP, Subnetmask, Default Gateway, DNS1: PDC IP, DNS2: BDC IP). The problem is that I can't join any clients to the domain unless I enter the DNS IP for the two servers manually! Although the DHCP is configured to distribute the DNS1 and DNS2 and when I check the IP configuration of the client computer I can see that the DNS1 and DNS2 are assigned via DHCP.

I can't figure this out! Any ideas how to fix this? 

Thanks...
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>