WellKnownObjects AD Container pointing to old Deleted Object

July 23, 2018, 12:35 am

≫ Next: Eliminate Domain Needed when Sign in to ADFS 3.0

≪ Previous: Account & Resource Domain Setup.

$

0

0

I have posted the same query on the Small Business Forum, but now posting in the General AD Column for more inputs. 

The current scenario is, I am dealing with a 2012 R2 Domain Controller (Only one AD) on which no other computer objects can be added. The error is quite simple "A device attached to the storage is not functioning". Investigation on this error has lead to many things which is an issue with the AD Domain Controller.

This Domain was initially running on SBS which was moved to server 2012R2 and decommissioned. Now the current situation is the Default Computer attribute is pointing to SBSComputers OU which has been deleted and it is not even seen in Deleted Objects. The wellknownObjects is pointing to the OU which is in the Deleted Objects. The current location is below:

B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=SBSComputers\0ADEL:4e10ac07-6894-43cb-a7b7-cca05f90a74b,CN=DeletedObjects,DC=XXXXXX,DC=local

When we are trying to change it to a new OU, via both Set-ADObject (Get-ADRootDSE) and redircmp commands, both get an error that the Set Object cannot be found:

PS C:\Windows\system32> Set-ADObject (Get-ADRootDSE).DefaultNamingContext -Remove @{wellKnownObjects = "B:32:AA312825768811D1ADED00C04FD8D5CD:OU=SBSComputers\0ADEL:4e10ac07-6894-43cb-a7b7-cca05f90a74b,CN=Deleted Objects,DC=XXXXXXX,DC=local" } -Add @{wellKnownObjects ="B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=XXXXXXX,DC=local" } -server AD.XXXXXXX.local

Set-ADObject : Directory object not found
At line:1 char:1
+ Set-ADObject (Get-ADRootDSE).DefaultNamingContext -Remove @{wellKnownObjects = " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (DC=XXXXXXXXX,DC=local:ADObject) [Set-ADObject], ADIdentityNotFoundExce
   ption
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
   icrosoft.ActiveDirectory.Management.Commands.SetADObject

Tried through ADSI Edit and AD Explorer tool, but not able to modify this entry

PS C:\Windows\system32> redircmp "CN=Computers,DC=XXXXXXX,DC=local"
Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
No Such Object
Redirection was NOT successful.

The Server is running with Forest and Domain functional level 2012R2, but still the command fails. We only way to get over this is a way to change the Default Computer Object of WellKnownObjects to a valid OU. I checked even third party tools which also fails to accomplish this.

Any assistance on this would be much appreciated.

The responses from the SBS forums can be viewed from the below URL:

https://social.technet.microsoft.com/Forums/en-US/af3b856f-9986-4950-913f-fbbe70d079f4/wellknownobjects-ad-container-pointing-to-old-deleted-object?forum=smallbusinessserver2011essentials

Regards.
Jay

---

Eliminate Domain Needed when Sign in to ADFS 3.0

July 23, 2018, 1:49 am

≫ Next: Windows Security Log Event ID 4776 on DC

≪ Previous: WellKnownObjects AD Container pointing to old Deleted Object

$

0

0

Hello, 

So i want to custom adfs 3.0 so that user doesn't need to enter the domain (just their username) to the username box.

then, i found this article:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636121(v=ws.11)

Then i tried Example 1: change “Sign in with organizational account” string & Example 2: accept SAM-account name as a login format on an AD FS form-based sign-in page , just to know if they works.

But apparently nothing works, how to verify if the jss already right ?

Any Help/Clue? Thanks :)

Windows Security Log Event ID 4776 on DC

July 23, 2018, 2:02 am

≫ Next: Folder redirection does not work as expected

≪ Previous: Eliminate Domain Needed when Sign in to ADFS 3.0

$

0

0

I have a 2008 R2 DC with Windows 7 client.

When I login to client PC using local account instead of domain account several event logs are getting logged onto DC as shown below.

What is causing this event, and possible solution.

%NICWIN-4-Security_4776_Microsoft-Windows-Security-Auditing: Security,rn=425496272 cid=972 eid=672,Mon Jul 02 06:21:08 2018,4776,

Microsoft-Windows-Security-Auditing,,Audit Failure,dc01.contoso.net,Credential Validation,,The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: CLIENT-PC01 Error Code: 0xc000006a 

Folder redirection does not work as expected

July 10, 2018, 4:23 am

≫ Next: "Drive is not accessible. Access is denied"

≪ Previous: Windows Security Log Event ID 4776 on DC

$

0

0

Hi

We have a strange issue - we have Home folder in user profiles set as H: drive mapped to \\servername\Home$\%username% and mapped fine, and folder redirection set via Group Policy as "Setting: Redirect everyonce folder to the same location" and"Target folder location: Redirect to the user`s home folder.

All PCs are windows 7, domain is windows 2008 and 2012

But folder redirection creates "Documents" folder under \\servername\Home$ (rather then under \\servername\home$\username) and redirect into that folder.
Anybody had same issue?

Thanks

"Drive is not accessible. Access is denied"

July 11, 2018, 5:49 am

≫ Next: Enable LDAPS

≪ Previous: Folder redirection does not work as expected

$

0

0

hi Team,

would like to inform you that i am facing problem with "Drive is not accessible. Access is denied" 

i have vmware environment, where i i have created multiple machines, with c & d drive. now user take the vm machine on remote, after some time , user not able to access drive & showing error message "Drive is not accessible. Access is denied" 

when affected vm machine joined to domain again.....problem solved and d drive accessible.and the again after some user facing same problem.

please help me on this matter.

Enable LDAPS

July 11, 2018, 5:47 pm

≫ Next: How to transfer roles from additional domain controller 2008 to new ADC 2016

≪ Previous: "Drive is not accessible. Access is denied"

$

0

0

We want to enable LDAPS on our domain controllers. The third-party CA wants the request file to include the following  things

E-Mail address
Common Name
Organizational Unit
Locality (City)
State/Province
Country

Hence do these attributes need to be specified with a value in the attribute editor, as currently there is no value defined for these attributes on the domain controllers on which I want to enable LDAPS.

Also, the Hash Algorithm should be at least SHA256, so should I include the line:

HashAlgorithm = SHA256 in the inf file?

How to transfer roles from additional domain controller 2008 to new ADC 2016

July 16, 2018, 7:41 am

≫ Next: Unable to connect to LDAPS

≪ Previous: Enable LDAPS

$

0

0

Hi All,

Recently we migrated all FSMO roles from domain controller 2008 to DC 2016 on new server, we don't have DHCP in Primary DC2016 at head office. we have one ADC 2008 R2 at branch office and it has DHCP role so how can we transfer DHCP to new ADC 2016 server.

Regards,

Agha

Unable to connect to LDAPS

July 18, 2018, 8:16 pm

≫ Next: Track Service Account

≪ Previous: How to transfer roles from additional domain controller 2008 to new ADC 2016

$

0

0

I installed LDAPS certificate on my domain controller, however, when I use LDP to make a connection on port 636, I get the error:

Error <0x51>: Fail to connect <g class="gr_ gr_29 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="29" id="29">ldaps</g>

Any suggestions to resolve this issue.

---

Track Service Account

July 19, 2018, 12:33 am

≫ Next: Password SYNC from ADDS to LDS!!

≪ Previous: Unable to connect to LDAPS

$

0

0

Dear All,

Are there any wayto track the computer that used the service account. For example, if user X used ServiceAccount@test.com from his computer, can i get his computer name. Are there any tool, script or PS command to get this kind of information

I have an audit tool showing when and where that account has been used, but there are a few users using this service account and its difficult to know who did use it and make any changes.

Best Regards,

Password SYNC from ADDS to LDS!!

July 19, 2018, 11:15 pm

≫ Next: Trusted forest with DC shared same AD site and same subnet

≪ Previous: Track Service Account

$

0

0

Hi ,

Any Suggestions or links how can I Sync password from ADDS to ADLDS?

Trusted forest with DC shared same AD site and same subnet

July 19, 2018, 9:50 am

≫ Next: Microsoft Active Directory Lightweight Directory Services (AD LDS) to allow ldap authentication for third party applications

≪ Previous: Password SYNC from ADDS to LDS!!

$

0

0

Hello All,

I have a question about a specific AD configuration.

We have a Forest thrust between 2 Forest (A and B).

We want to add new DC from forest A in Datacenter of forest B, in the same subnet where Forest B DC's are already installed

So we will use the same subnet and AD site name for DC from different forest.

At first, there should not be any problems, but i just want to be sure.

Thanks,

Microsoft Active Directory Lightweight Directory Services (AD LDS) to allow ldap authentication for third party applications

July 21, 2018, 2:16 am

≫ Next: How to sync certificates generated by external Root CA with internal CA

≪ Previous: Trusted forest with DC shared same AD site and same subnet

$

0

0

We are thinking of implementing Microsoft Active Directory Lightweight Directory Services (AD LDS) to allow ldap authentication for third party applications.
Some applications require AD schema modification and we are trying to avoid that by implementing AD LDS as we can have the new attributes in AD LDS rather then extending AD schema.
Has anyone implemented this and is there a guide available for this implementation?

And what is the best way to test this before implementing in production?

How to sync certificates generated by external Root CA with internal CA

July 19, 2018, 8:13 am

≫ Next: Forest and domain functional levels only show "Windows Server" available (from Windows Server 2012 R2)

≪ Previous: Microsoft Active Directory Lightweight Directory Services (AD LDS) to allow ldap authentication for third party applications

$

0

0

Hello All,

I have 3 zones (internet, intranet and DMZ). Internet and intranet zones are physically separated and in different domains. I need to build a stand alone root ca in DMZ zone common for both internet and intranet zones and this root ca in dmz zone has to be able to sync/import certificates generated by external root ca. How to achieve this. 

---

Thanks

Forest and domain functional levels only show "Windows Server" available (from Windows Server 2012 R2)

July 17, 2018, 1:59 pm

≫ Next: Question about Windows Server 2008 R2 and Exchange 2010 upgrade with Domain rename at the same time

≪ Previous: How to sync certificates generated by external Root CA with internal CA

$

0

0

I recently migrated our DC's from Server 2008R2 to Server 2016. We now have four Server 2016 DC's and no others. When I went to raise the domain and forest functional levels from Server 2008R2 I saw "Windows Server 2012/R2" and "Windows Server" as options. I raised both to "Windows Server 2012 R2" successfully. I wasn't sure if the "Windows Server" is supposed to represent Server 2016 or not. Now that both domain and forest functional levels are at "Windows Server 2012 R2" the "Windows Server" is still there as an option. As I mentioned I'm guessing it represents "Windows Server 2016" but I just wanted to get some feedback to make sure. There are some features from AD 2016 that I'm interested in, so I definitely want to be at the highest functional level that I can be. Thanks in advance. 

---

Über Random

Question about Windows Server 2008 R2 and Exchange 2010 upgrade with Domain rename at the same time

July 18, 2018, 10:49 pm

≫ Next: Conduct Test-ComputerSecureChannel on client, succeed on secondary dc02 but failed on primary dc01.

≪ Previous: Forest and domain functional levels only show "Windows Server" available (from Windows Server 2012 R2)

$

0

0

Anyone have any experience for Windows Server 2008 R2 and Exchange 2010 upgrade ? Could you mind to share your experience?

Here is my environment :

                Current :

                AD : Windows Server 2008 R2 and Exchange 2010 (in the same physical machine)

               

                Target :

                AD: Upgrade to Windows Server 2016 (It is a new Physical Server)

                Exchange: Upgrade to Exchange 2016 (install in same with Windows Server 2016)

               

                Other requirement:

                Current domain is using      aaaaaaaaa.com    and    zh.aaaaaaaaa.com

                We would like to changed it to      bbbbbbbbb.com  (our company name changed, and will merge 2 old domain into one domain)

Do you have any related information for our reference ?

I want to know, is it possible to do the about migration at the same time? (install new server, AD and Exchange migrate and rename our domain, to reduce downtime to user)

Is it possible to clean install / migrate ?

                e.g.        is it possible to clean install Windows Server 2016 and Exchange 2016, then export / import the “necessary data” from old one to new one, not just migrate all the things from the old one.

Thanks !

---

Conduct Test-ComputerSecureChannel on client, succeed on secondary dc02 but failed on primary dc01.

July 21, 2018, 6:41 am

≫ Next: Latency on a domain workstation when accessing a network share.

≪ Previous: Question about Windows Server 2008 R2 and Exchange 2010 upgrade with Domain rename at the same time

$

0

0

Hi All,

I created a VM lab environment to test planned AD setup. I have DC01 (primary) and DC02(secondary) running in windows server 2012R2. I also set up a client running in Win 7Pro.

When I test using test-computersecurechannel, things are looking good on the DC02. In the client machine, test went through with server DC02 but not server DC01.

Any tips will be appreciated!

Below screen shot is testing on the primary DC01. From what I searched in the forum, error on the primary DC is normal.

Below is the screenshot of testing on dc02.

Below is the screenshot of testing on client. Test is good with dc02 butfailed with dc01.

Latency on a domain workstation when accessing a network share.

July 19, 2018, 5:50 pm

≫ Next: Active Directory Users export and import another domain

≪ Previous: Conduct Test-ComputerSecureChannel on client, succeed on secondary dc02 but failed on primary dc01.

$

0

0

This is the first time I've ever posted a question on any blog, but I'm at my wits end. I have a domain with about 50 users. I have one system that when trying to access a file share on a server in the domain, it takes an extraordinary amount of time to load, but eventually will, if you just let it do it's thing. It doesn't matter what profile I log in with (user or admin) the problem is the same. 

I took the system off the users desk and connected it at my desk. Everything works fine. Files load quickly. So I thought, it was something on that network port. To test, I brought a different system to that users desk and connected it. Oddly, the connection to the shares was fast and loaded quickly on both a user and admin profile. I replaced the users system and the problem returned.

I can access the internet no problem, no latency. I can ping the server at less than 1ms. I flushed the DNS. I cleared the ARP. I updated everything. I tried in Safe Mode. I disabled Add-ons. I added the server to the host file. I don't know what else it could be.

Why does it work at a different network jack and why does a different system work on that jack?
 
Any help is greatly appreciated.

Active Directory Users export and import another domain

July 19, 2018, 9:23 am

≫ Next: Unable to login Secondary Domain Controller. The username or password is incorrect

≪ Previous: Latency on a domain workstation when accessing a network share.

$

0

0

Hi Team,

I have MZ (10.X.x.x)and DMZ(192.X.x.x) network environment here....requirement is..

one MZ domain is abc.com and another DMZ domain is xyz.com..

Which have MZ domain users with all objects with respective OUs export and import to another DMZ domain xyz.com...

Please help on this..

Thanks 

Bhaskar B

---

Bhaskar B Exchange Administrator

Unable to login Secondary Domain Controller. The username or password is incorrect

July 18, 2018, 8:18 pm

≫ Next: kinit: Cannot find KDC for realm "contoso.com" while getting initial credentials.

≪ Previous: Active Directory Users export and import another domain

$

0

0

Hi,

 
Previously my secondary DC (server name is "sdc")  was down so I boot up the image backup of the same server as a virtualized server in another computer.

Once I fixed my secondary DC server, I shut down the virtualized server, and let the actual secondary DC run.

I can log in with no problem. The Primary DC (server name is "pdc") and Secondary DC can ping each other.

Everything went well until the next morning, I found out I couldn't log into the secondary DC anymore. The error message says "The username or password is incorrect". The Primary DC and Secondary DC can ping each other though. Both my servers are running Window Server 2008

 

Below are an extract from the dcdiag command  :


      " Starting test: Replications


        [Replications Check, PDC] A recent replication attempt failed:
          From SDC to PDC

          Naming Context: DC=ForestDnsZones,DC=xyz,DC=com,DC=my

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see    Windows Help.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-18 12:10:24.

            24 failures have occurred since the last success.

        [SDC] DsBindWithSpnEx() failed with error -2146893022,

        The target principal name is incorrect..

 

        [Replications Check,PDC] A recent replication attempt failed:

            From SDC to PDC

            Naming Context: DC=DomainDnsZones,DC=xyz,DC=com,DC=my

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see 
            Windows Help.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-18 12:11:41.

            28 failures have occurred since the last success.

 

        [Replications Check,PDC] A recent replication attempt failed:

            From SDC to PDC

            Naming Context:

            CN=Schema,CN=Configuration,DC=xyz,DC=com,DC=my

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-17 16:51:50.

            43 failures have occurred since the last success.

 

        [Replications Check, PDC] A recent replication attempt failed:

            From SDC to PDC

            Naming Context: CN=Configuration,DC=xyz,DC=com,DC=my

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-17 16:51:50.

            42 failures have occurred since the last success.

 

        [Replications Check, PDC] A recent replication attempt failed:

            From SDC to PDC

            Naming Context: DC=xyz,DC=com,DC=my

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2018-07-19 09:56:07.

            The last success occurred at 2018-07-18 12:12:46.

            23 failures have occurred since the last success.

 

        ......................... PDC failed test Replications

      Starting test: RidManager

        ......................... PDC passed test RidManager

      Starting test: Services

        ......................... PDC passed test Services

      Starting test: SystemLog

 

        An Error Event occurred.  EventID: 0x40000004

            Time Generated: 07/19/2018  09:54:36

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sdc$. The                   target name used was cifs/Sdc.xyz.com.my. This indicates that the target server failed to               decrypt the ticket provided by the client. This can occur when the target server principal                 name (SPN) is registered on an account other than the account the target service is using.             Please ensure that the target SPN is registered on, and only registered on, the account                 used by the server. This error can also happen when the target service is using a different             password for the target service account than what the Kerberos Key Distribution Center                (KDC) has for the target service account. 
             Please ensure that the service on the server and the KDC are both updated to use the                 current password. If the server name is not fully qualified, and the target domain                            (XCZ.COM.MY) is different from the client domain (XYZ.COM.MY), check if there are identically             named server accounts in these two domains, or use the fully-qualified name to identify                 the server.

 

        An Error Event occurred.  EventID: 0x40000004
        Time Generated: 07/19/2018  09:56:07

          Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sdc$. The                   target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/e92efb8d-1c9d-4412-            9766-09eae008a05c/xyz.com.my@xyz.com.my. This indicates that the target server failed               to decrypt the ticket provided by the client. This can occur when the target server principal             name (SPN) is registered on an account other than the account the target service is using.             Please ensure that the target SPN is registered on, and only registered on, the account                 used by the server. This error can also happen when the target service is using a different             password for the target service account than what the Kerberos Key Distribution Center                 (KDC) has for the target service account. Please ensure that the service on the server and             the KDC are both updated to use the current password. If the server name is not fully                     qualified, and the target domain (XYZ.COM.MY) is different from the client domain                           (XYZ.COM.MY), check if there are identically named server accounts in these two domains,               or use the fully-qualified name to identify the server.

 

        An Error Event occurred.  EventID: 0x40000004

            Time Generated: 07/19/2018  10:11:21

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sdc$. The                   target name used was LDAP/e92efb8d-1c9d-4412-9766-9eae008a05c._msdcs.xyz.com.my.            This indicates that the target server failed to decrypt the ticket provided by the client. This             can occur when the target server principal name (SPN) is registered on an account other                 than the account the target service is using. Please ensure that the target SPN is                           registered on, and only registered on, the account used by the server. This error can also               happen when the target service is using a different password for the target service                        account than what the Kerberos Key Distribution Center (KDC) has for the target service                 account. Please ensure that the service on the server and the KDC are both updated to                 use the current password. If the server name is not fully qualified, and the target domain               (XYZ.COM.MY) is different from the client domain (XYZ.COM.MY), check if there are                             identically named server  accounts in these two domains, or use the fully-qualified name 
            to identify the server.

 

        ......................... PDC failed test SystemLog    "

 

As I am a novice, I hope you guys can help me out here.

 

Thank you all.

kinit: Cannot find KDC for realm "contoso.com" while getting initial credentials.

July 18, 2018, 8:21 am

≫ Next: Get-ADUser

≪ Previous: Unable to login Secondary Domain Controller. The username or password is incorrect

$

0

0

Hi,

Our application team is in the process of configuring some Oracle based HR application with our domain controllers. There are no connectivity issues between application server and domain controllers. When they are connecting they get below error.

kinit: Cannot find KDC for realm "contoso.com" while getting initial credentials.

Please let us know how to avoid this.

Regards,

Kavindu