Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

All 2008 R2 DCs have same issue

February 8, 2013, 4:55 am
$
0
0

Hi,

We have about 15 DCs, some 2003 and some 2008R2. The 2003 ones are all good but the 2008 R2 ones seem to have strange things going on.

1. Cannot ping from unelevated command prompt, not even 127.0.0.1. Elevated command prompt is fine.

If you try to you get:

PING: transmit failed. General failure.

2. Under computer management, event viewer, applications and services logs, the following logs produce this error:

"event viewer cannot open the event log or custom view. Verify that event log service is running or query is too long. Access is denied (5)"

The logs this happens to is:

Active directory web services

DFS replication

Directory Service

DNS Server

File Replication Service

Operations Manager

Other logs are fine. The one thing to note is the file that is supposed to have the log inside does not exist, for example, "%SystemRoot%\System32\Winevt\Logs\Active Directory Web Services.evtx" points to a file which does not exist.

Very odd for 6 different DCs to have this.

Any ideas?

Search

Is there a way to see how many users and devices connect to active directory per week or month?

February 8, 2013, 3:11 am
$
0
0

Hi,

as title really, Is there a way to see how many users and devices connect to active directory per week or month?

Thanks

Mac


AD Forest graphical Port Overview Server/Clients

February 8, 2013, 1:18 am
$
0
0

Hi guys,

I´m searching for a graphical overview of AD Ports that have to be open in a forest and its domains between all servers and their clients.

In our environment Servers and Clients are located in their own subnet and only subnet to subnet is being blocked by firewall.

Something in Visio would be good but could be in another format.

Forest/Domain 2008 R2

Kind regards,

Tim
MCITP, MCTS
http://directoryadmin.blogspot.com

This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

"If this thread answered your question, please click on "Mark as Answer"

Domain login problem

February 8, 2013, 2:57 am
$
0
0

I have a small forest with a root doamin and a child domain with two DCs in each domain.

The first DC (PDSvr1) has the roles PDC, RID, Infrastructure, DNS, WINS, DHCP.

The second DC (PDSvr2) has the roles Catalog, DNS, WINS.

When the network status is OK there is no problem to login to the domain for users as well as directly on the server console.

However when there is a network problem between the two DCs users can not login even thoug they have network connection to either DC.

The most weird thing is that is not possible to login at the PDSvr1 console either. I would expext that the PDSvr1 locally has all information it needs to verify/authenticate the admin user login.

When the network connection between the two DCs is OK again, the logins also work OK again.

The same problem applies for the servers and users in the child domain.

Can anyone explain this phenomena?

the directory service is busy when trying to remove domain controller from trust

February 4, 2013, 7:32 am
$
0
0

i am recieveg this error indicating i need to have all my user accounts and trusts at the Advanced Encryption Standard (AES) or RC4
Kerberos encryption keys

"

Title:

CN=petersonax64,CN=System,DC=peterson2ax64,DC=fhpeterson,DC=fhpetersonmachine,DC=com should not be configured for DES only

Severity:

Error

Date:

2/4/2013 9:31:35 AM

Category:

Configuration

Issue:

A user account or trust for domain peterson2ax64.fhpeterson.fhpetersonmachine.com is configured for Data Encryption Standard (DES) only. DES is considered weak cryptography and is no longer enabled by default in Kerberos authentication in Windows 7 and Windows Server 2008 R2.

Impact:

User accounts and trusts configured for DES only will have authentication failures.

Resolution:

User accounts and trusts should use Advanced Encryption Standard (AES) or RC4 Kerberos encryption keys.

More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=168859"

When I try to remove the trust that will not allow me to add the higher level of security i get "the directory service is busy" error. i have tried to force it out at the comand prompt and it says it completed but the trust is still listed in ad domains and trusts.

The trust appears to be with a local domain controller. We only have one domain and i was not here when this was set up.

Any help would be greatly appreciated. we are having problems browsing the network by name but not all the time and DNS appears to be working correctly.

Managing multiple non-trusted domains through ADAC

February 7, 2013, 9:23 am
$
0
0

Within our company we have many forests/domains and at this point in time there two in particular we are not permitted to add any trust between even though there are network connections between the sites where the servers are hosted. 

A simplified example of what we have is:

Domain controller #1:  dc.foo.com  (part of the foo.com domain)

Domain controller #2:  dc.bar.com  (part of the bar.com domain)

A server:  server.foo.com (part of the foo.com domain with ADAC installed)

So I can remote desktop onto server.foo.com and use ADAC to work with the foo.com domain.  I would very much like to use ADAC on this machine to work with the bar.com domain in a similar manner.  I even have bar.com domain admin credentials, however I can't see anyway of adding in a non-trusted domain into ADAC so I can manage it.

Can anyone advise me how I can achieve what I need to do?

Cheers!


Single windows server 2003 DC have ERROR Issue with active directory access

February 7, 2013, 2:10 pm
$
0
0

When trying to access Active Directory Users and Computers I get the following error: The naming Information cannot be located for the following reason: the srever is not operational.

The server is authenticating users and allowing users access to shares folders.

I have uninstalled antivirus and eliminated possible issues with the Broadcomm NIC installed, I beleive thats it is a Microsoft Issue.

This is a single DC in a small domain. AD was running from the DC. Exchange was running from the same DC.

I am in the same case as : " http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/964ca0ff-3264-4f00-bda1-5ed3a3cc2801/" but with other little differences.


and returned diagnostic tests :

C:\Documents and Settings\aymen>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : serveur
   Primary Dns Suffix  . . . . . . . : ct-fr.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ct-fr.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7761 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-14-38-4E-B6-43
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.69.64
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.69.69
   DNS Servers . . . . . . . . . . . : 192.168.69.64
   Primary WINS Server . . . . . . . : 192.168.69.64

----------

C:\Documents and Settings\aymen>netdom query FSMO

Schema owner                serveur.ct-fr.local
Domain role owner           serveur.ct-fr.local
PDC role                        serveur.ct-fr.local
RID pool manager            serveur.ct-fr.local
Infrastructure owner        serveur.ct-fr.local

The command completed successfully.

------------

C:\Documents and Settings\aymen>dcdiag /q
         The host 96c74848-da83-40c9-87d5-d811785c1311._msdcs.ct-fr.local could
not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (96c74848-da83-40c9-87d5-d811785c1311._msdcs.ct-fr.local) couldn't be
         resolved, the server name (serveur.ct-fr.local) resolved to the IP
         address (192.168.69.64) and was pingable.  Check that the IP address
         is registered correctly with the DNS server.
         ......................... SERVEUR failed test Connectivity


----------

   DNS Events

Event Type:    Error
Event Source:    DNS
Event Category:    None
Event ID:    4000
Date:        2/7/2013
Time:        10:43:05 PM
User:        N/A
Computer:    SERVEUR
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

    & and

Event Type:    Warning
Event Source:    DNS
Event Category:    None
Event ID:    4013
Date:        2/7/2013
Time:        10:32:29 PM
User:        N/A
Computer:    SERVEUR
Description:
The DNS server was unable to open the Active Directory.  This DNS server is configured to use directory service information and can not operate without access to the directory.  The DNS server will wait for the directory to start.  If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

----

 running : DNSMGMT.MSC

 there was no _msdcs.ct-fr.local and no ct-fr.local or any other for that matter.

 I did try to create it, and got the following error: The zone can not be created.

There was a server failure.


and when

 - I try to Create a ct-fr.local zone. Right-click Forward Lookup Zones, new zone, type in ct-fr.local. Place the zone in the DomainDnsZones (middle button) replication scope. Alow Secure updates on the zone.

     the zone cannot be created there was a server failure...

 - I try to Create Right-click Forward Lookup zones, Create a _msdcs.crl.lan zone. Place it in the ForestDnsZones (top button) replication scope. Allow Secure Updates on the zone

    the zone cannot be created there was a server failure...


 ----------------

C:\Documents and Settings\aymen>dnscmd /enumdirectorypartitions
Enumerated directory partition list:

        Directory partition count = 0


Command completed successfully.

---------------

C:\Documents and Settings\aymen>dnscmd serveur.ct-fr.local /EnlistDirectoryPartition ct-fr.local
Enlist directory partition failed: ct-fr.local
    status = 9717 (0x000025F5)

Command failed:  DNS_ERROR_DS_UNAVAILABLE     9717  (000025f5)


Can you help please?


Preventing a site from authenticating to a remote DC?

February 7, 2013, 7:54 am
$
0
0

Hello,

I'm trying to set up a domain trust between 2 Window 2003 Native domains.  I have done this before and I can see that DNS is working between sites and the required ports are open.  However the trust fails when I try using the Wizard from AD Domain and Trusts.  When I remote on the DC at the remote site and ping the domain name of the domain I want to create the trust with it pings a remote DC at the other site and fails.  They have many DC's at the local site so why does it go to the remote DC on a slow slower link.

Is there a way to get the site to always use certain DC's?

Thanks

Search

In-Place upgrade of Windows 2008 to Windows 2008 R2 DC

February 8, 2013, 11:00 am

Hub and Spoke config in Sites and Services

February 8, 2013, 9:46 am
$
0
0

I have a question about a hypothetical sites and services configuration.

  • There are 10 sites in a hub and spoke WAN infrastructure (only one hub)
  • The spokes cannot talk to each other
  • There is just one "site link" object (not a site link bridge) that contains all the sites
  • "Bridge all site links" is disabled

Would this work correctly? Meaning, would the ISTG only generate connection objects on each spoke site to the hub and not to other spokes? Or will the spoke sites still think they can talk to each other even though I disabled "Bridge all site links"?

Initially I thought for a hub and spoke with non-routed spokes I would have to create a link for each spoke site to the hub, but if this configuration works correctly it would be much cleaner.



DMZ, 1 way trust and RODC's

February 7, 2013, 4:59 pm
$
0
0

Quick description of the setup - 

Internal forest/domain - internal.local

dmz forest/domain - external.local

There's a 1 way trust where external trusts internal. There are also RODC's for internal that sit in the DMZ. There is a site set up that includes the subnets that make up the DMZ and the RODCS are in that site. I have a group policy that adds a group from internal.local to the local administrators group for every server joined to external.local. This works and I can log in with an internal.local account. 

The issue is that when I try to manually add a group/account from the internal.local domain to a group on a member server in external.local, it takes a very long time to get the list of domains you can select. Then trying to search internal.local only returns results a small fraction of the time. And even when it returns results, I can never actually add the account. It says the domain can not be contacted. 

Running wireshark is showing that the external.local member server is trying to make CLDAP connections to every internal.local domain controller and not going through the RODC. Is there some other configuration I have to make so that it uses the RODC's to search AD?

Thanks,

Rich

Delegation - Templates could not be applied

March 13, 2012, 7:53 am
$
0
0

We had been using the Account Operators group in Active Director for out Helpdesk, but suddenly people were getting access denied error. To resolve this I was trying to use delegation. However, whenever I try to do any delegation I get the following: "The templates could not be applied. One or more of the templates is not applicable."

I have checked to make sure the delegwiz.inf file is there on the domain controller, which it appears to be and can be viewed to have templetes.

Anyone have any ideas?

Offline DFS Server Removal: Server 2008 R2

February 8, 2013, 8:26 am
$
0
0
Can someone tell me the steps to cleanly remove a Windows 2008 R2 DFS server that is offline?  Thanks.

How to size a hardware for Active directory for 100users

February 8, 2013, 12:11 am
$
0
0
what is the minimum CPU/Memory/Harddsik space required for 100users

Question about zones intermixed with domain

February 7, 2013, 6:58 am
$
0
0

Hello,

Say I am using a ad domain setup on a subdomain of registered external domain name.  For instance: mycompany.foo.com. 

prefix = mycompany
suffix= foo.com

Internally, I want access to external sites which are apart of the foo.com domain.  At first glance, I would think to implement a new zone for foo.com, and
then add the sites underneath that zone.  For instance:  site1.foo.com, site2.foo.com, site3.food.com.... site1000.foo.com. 

I have created this in a lab scenario, and what happens is mycompany becomes a site underneath the foo.com zone that I created.  My questions are:

1. will this break anything ADDS related
2. is there another way that I should go about implementing this?

Any help is greatly appreciated!

Thanks,

Jeff

Search

Server 2008 R2 Certificate Services

February 7, 2013, 5:18 pm
$
0
0

We currently have a windows server 2003 Domain but i am looking to install a server 2008 R2 2 teir PKI infrastructure. Our Forest root domain is empty and the Cert servers will be installed in a child domain. Are there any issues i need to address to do this? We want to get our certs working on 2008 R2 before we upgrade our domain to 2008. I am also looking for some articles so I get it done right. Any help or suggestions would be greatly appreciated.

Thanks.

Russ

ADSI SetPassword(string) doenot respect password policy while resetting password

February 8, 2013, 5:14 am
$
0
0

Hello All,

  We want to reset password from OIM respecting the password policy, without sending the old password.

In Active Directory connector SetPassword(string NewPassword) method of IADsUser class is called to reset the password.Password Complexity and Password length requirements are checked, but Password History is not checked.

There is a method ChangePassword() which takes in both old and newpassword and changes the password respecting password policy.

http://blogs.technet.com/b/fieldcoding/archive/2013/01/09/resetting-passwords-honoring-password-history-or-what-s-happening-under-the-hood-when-changing-resetting-passwords.aspx was referred. 

Is there any way to send LDAP_SERVER_POLICY_HINTS_OID  to IADsUser to enforce password history while resetting the password without sending the old password ?

Alternate UPN

April 6, 2011, 11:57 am
$
0
0

Hi, I'm trying to setup alternate upn suffixes so that our users can login usinguser@domain.com instread of domain\user.  We have one forest and one domain (DC Windows 2003 SP2).

I went ahead and added the alternate UPNs in Active Directory Domains & Trust, but they do not show up in the dropdown (account tab) in ADUC.  I think it has something to do with our old Exchange 2003 policies but not sure.  We are on Exchange 2010 now (decomissioned Ex 2003), but I still see the old policies via ADSIedit.

More info.....  I noticed the behavior is dependent on which OU I create a user.  For example we have two companys (company1 and company2) each with their own OU.  If I create this user in OU "Company1" it restricts what I can choose as a suffix: domain.corp and old-domain.com (I want to be able to see new-domain.com - which I have added to alternate UPN suffix in AD domains and trusts).  Company 2 behaves in a similar fashion.  If I create the user in OU outside of these company OU's I can see all of the domains I created as alternate UPNs.

So seems like there are policies somewhere, just can't figure out where.

Help!

-Manny

completly bonened. Access to C: denied. always told need admin permission. error code 0x80070005 and more.

February 8, 2013, 9:25 pm
$
0
0
Ive been locked out c:. Told I do not have admin permission. Told to contact admin. IAM THE ADMIN!!! I get a prompt after every shutdown/restart to enter an administrator or power password. Windows troubleshooter no longer works. HP assistant also no longer run. I cannot reset,refresh or set back to factory settings. I have no recovery discs. Windows 8 came stock with my hp envy dv6-7258nr. I am a computer moron and am pretty sure this is all my fault. at the admin\power password screen I pressed enter a bunch of times all pissed off. And System disabled pop up with an eight digit number popped up. I believe this is when it all went to hell. Also I have two trusted PCs. one was the first name I gave my laptop the other I made because I was told it was a good idea. Not for this jackwagon. How the hell do ya switch between the two? Pretty sure ill need to send this bad boy in. its still under warranty. HELP A CPU DUMBA#$!! 

Restrict RPC ports - multiple KBs

February 9, 2013, 5:42 am
$
0
0
There are KB talk about restrict ports on individual services (for example http://support.microsoft.com/kb/224196,  http://support.microsoft.com/kb/319553), then there is this KB 154596 (restrict RPC port range in general). If I implemented this KB, and open the ports, do I still need  to follow kbs that for individual services (224196/319553?

http://strongline.blogspot.com

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>