Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

morphed folders rename not syncing to one DC

February 9, 2013, 4:40 pm
$
0
0

Problem: We have morphed folders in the SYSVOL share. We have "Policies" and "Scripts" folders as well as "Policies_NTFRS_guid" and "Scripts_NTFRS_guid" folders. In our test network, I tested the resolution where you rename the folders to a "folder_good" and "folder_bad"....replicate....rename "folder_good" back to original name and delete the "folder_bad"....all went as planned so I decided to try it on our production and ran into a snag I would like some input/information from more experienced admins.

So I started with just the "Scripts" folders to gauge how well things went. I renamed the "Scripts_NTFRS_guid" folder to "Scripts_dump" and it replicated out to all 5 DC's. I then renamed the "Scripts" folder to "Scripts_keep" and it replicated to all but 1 domain controller. The one domain controller not replicating the name change is running 2008 standard SP2.

There are no errors in event viewer on any DC, including the one not replicating the change.

DCDIAG looks good.

I tried a force replication from the PDC to this server, no errors, no events...no change.

This DC is fixing to be replaced so can I just re-name the "Scripts_keep" back to "Scripts" and let it replicate out and deal with this after this server is gone?

If I need to forge ahead, is the following my next move? the steps are not real clear and I dont want to cause more damage than I have now.

Procedures for Renaming Morphed Directories

    • From the computer that originated the good series in conflict, rename both the good and morphed variants to a unique name.

    • Verify end-to-end replication of the rename operation across all members of the set. For those that do not get the rename within the necessary point in time, stop FRS and set the D2 registry setting for a nonauthoritative restore. Do not restart the computer at this time.

    • Move any files from the now renamed morphed folders to the renamed good folders.

    • Verify end-to-end replication of the files in the renamed original folder.

    • Delete the original morphed files.

    • Restart FRS to start the authoritative restore. After the rename has propagated, it can be deleted. Before deleting any of the folders, ensure that you have a backup of the original (and complete) folder.

    Thanks sooo much for any input/advice to get me back to operational...

    Search

    Kerberos: Server 2008R2 requests same TGT every 60 seconds

    February 10, 2013, 8:22 am
    $
    0
    0

    Hi all,

    on a Server 2008R2 Sp1 with IIS installed in Netmon trace I see that a new TGT  for the IIS WEB Pool account is requested aboutevery 60 seconds. Sometimes also in the range of 100 ms. The WEB application is working fine.

    usually the flow is as follows:

    1. Server  --> DC:  AS-REQ
    2. DC --> Server: KRB Error: KRB5DDC_ERR_PREAUTH_REQUIRED
    3. Server -- DC: AS-REQ
    4. DC --> Server: AS-REP
    5. Server --> DC: TGS-REQ
    6. DC --Server: TGS-REP

    The first AS-REQ fails due to missing time stamp in the request. In the AS-REP I can see in padat that PA-ENC-TIMESTAMP, PA-DAS  and PA-PK-AS-REP are missing. In second AS-REQ PA-ENC-TIMESTAMP is insertet in padata.

    Client name in the AS-REQ is the name of the account the WEB service is running. Kerberos request Server (service) name is krbtgt/domain-name.

    I wonder why TGT is requested at least every minute, as Kerberos ticket TTL is 10 hours per default in domain and can't even be set even below one hour.

    Probably as a side effect we notice "RPC Server unavailable" in the event log with clients failing to connect to IIS twice a week.

    Around the time of "RPC failure" I see a TGS-REP "KRB5KDC_ERR_BADOPTION" for an TGS-REQ with kerberos server (service) name: "server-name$@domain-name" and KDC option "constrained-delegation".

    Questions are:

    Can the "KRB5KDC_ERR_BADOPTION" invalid the server's TGT and shut down the RPC service for ever (until reboot?

    Where to start troubleshooting this (I know the IIS server should be configured for delegation). But for days the server and WEB service runs without problems, and I wonder wether just a "KRB5KDC_ERR_BADOPTION" can shut down the RPC Service and the server at all?

    (Also is it possible to start kerbtray in the Kontext of IIS and server?)

    Thank You

    Jochen

    Start over with domain?

    February 9, 2013, 9:57 am
    $
    0
    0

    I'm coming into this after several people have worked on the domain over the years. 

    We have 1 PDC called Val. Until recently, there was an exchange 2007 server at the same site. It died, there were no backups, so we're starting over. We have one other domain machine at a different site, it is not a domain controller.

    In the past, I've seen messages in the 2007 server saying that it couldn't deliver messages to a machine called ex2000 (an older mail server that died a long time ago).

    I've followed the KB articles and anything else I can find to remove the meta data for the missing domain controllers, but the ex2000 messages persisted, and now,trying to add the new exchange server to the domain, it's giving me "access is deined" and sites a machine called ex2007 (the recently dead exchange server).

    Seeing all the issues with missing domain controllers, and the trouble I'm having adding this new server to the domain, I would like to start fresh and setup the domain correctly. My question is, if I run dcpromo on Val (the only domain controller left), would that wipe out all of the AD information and allow me to start over?

    We are a small company, 8 users, new exchange server, one offsite server (on the domain but not a DC), and the PDC. All other machines do not log into the domain. I am aware that I will have to recreate users. Is there anything else I should be aware of? Or any other suggestions?

    Thank you for any information you can provide.

    Hide User informations in the active directory

    February 10, 2013, 11:23 am
    $
    0
    0

    Hello all,

    I would like to hide use information's in the active directory such as phones and mobile which is appear in search or OWA search or Outlook , thanks all



    System State Backup Windows 2008 R2

    February 9, 2013, 8:52 am
    $
    0
    0

    which access would require for SSB in windows 2008.

    If I give backup operator group membership then will it be sufficient for taking baclup.

    Rgds Vinay

    UPN Suffix

    February 9, 2013, 5:17 am
    $
    0
    0

    What happen if I deleted existing UPN suffix and recreate the same.

    Rgds Vinay

    Listing all user accounts (enabled or disabled) by using Saved Queries...

    February 10, 2013, 7:17 am
    $
    0
    0

    Hi all;

    How can I list all user accounts (enabled or disabled) by using saved queries?

    Thanks

    Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Window Server 2008r2 Domain Services Problem

    February 10, 2013, 1:44 pm
    $
    0
    0

     Sir could please help me up, why every time I joint my client computer to our domain user account in windows server 2008r2 their internet connection access it will be getting????

    Thanks in advance

    Search

    Server 2008r not connected in virtualbox

    February 9, 2013, 10:54 pm
    $
    0
    0
    Hi,
    I am new bee in this technical stuff. I have installed virtualbox on my computer and then installed the pfsense. Run my pfsense and it is showing DHCP and IP address -- which i persumed it is working. IP address is 10.0.10.1
    I have also installed Window server 2008R and given the static ip address 10.0.10.5 and gateway address is 10.0.10.1 (same as the ip of pfsense) but it is not connected. I am getting ! sign on my network right bottom of screen.
    Please help me. Thanks in advance.
    Jay

    windows 2003 AD restore question

    February 10, 2013, 9:12 am
    $
    0
    0
    I am running 3 domain controllers. One is virtual in VMware while the other two are physical I plan to make some changes to the virtual one but want to know my options just in case something goes wrong. If something happens, can I just do a nonauthoritative restore? Or should I do a reinstall using information from the other two domain controllers? What about using a recent snapshot? Assuming the failed DC hasn't replicated yet, would it be safe to revert back to a snapshot?

    DCDiag on a windows server 2012 VM

    February 12, 2013, 6:50 am
    $
    0
    0

    I am running DCDiag on a server that is having random connectivity problems to the PDC. I located DCDIag in the folder

    "CD C:\Windows\WinSxS\amd64_microsoft-windows-d..-commandline-dsdiag_31bf3856ad364e35_6.2.9200.16384_none_a4f8abed87cd5518"

    When I run the program I get

    dcdiag /s:<myDC> /u:<adminuid> /p:<adminpwd>

    Resource ID 0x423 not found.
    Unable to print Resource ID 0x423 .
    Unable to print Resource ID 0x423 .
    Message 0xc0001770 not found.

    Note: items in <> were substituted with real data for my environment.

    How do I determine what this information means. a search on MS site only reveals a diskette index issue.

    Lee

    installing an AD LDS instance

    February 12, 2013, 3:37 am
    $
    0
    0

    hi

    I have a small issue connecting a server running AD-LDS to the main domain

    the steps that i have completed are

    installed ADLDS intance called JO.local

    ran schema analyser and created the differnces ldf file

    now when i try to import it using this command

    ldifde -i -s localhost -c “cn=Configuration,DC=X” “CN={3980CF7F-FFCE-4AF5-8C43-F9BBD65F2F6F}” -t 389 -f c:\Windows\ADAM\defferences.ldf

    i get this error

    Connecting to "localhost"

    Logging in as current user using SSPI

    Importing directory from file "c:\Windows\ADAM\Differences.ldf"

    Loading entries.

    Add error on entry starting on line 15: Referral

    The server side error is: 0x202b A referral was returned from the server.

    The extended server error is:

    0000202B: RefErr: DSID-03100768, data 0, 1 access points

    any help much appriciated

    thanks

            ref 1: 'x'

    AD and Global Catalog

    February 12, 2013, 7:15 am
    $
    0
    0

    Could someone please help me to understand why it is necessary Global catalog when we have AD replication?

    Thanks.

    multiple individual domain single exchagne server for multiple doamins

    February 12, 2013, 6:34 am
    $
    0
    0

    Hi guys

    My company have domain controller and exchange 2007 more than hundred users are there. (test.com)

    Now my company acquired another two companies those companies have their own domain controller, both domain have fifty users (abc.com and xyz.com)

    My manger saying that provide email address to all users of other two domains (abc.com and xyz.com) he is telling that we are not going to spent single penny over their use our current infrastructure.

    Now my plan is use my current exchange server. How can I  provide email address for this two companies email address from my exchange server (this server registered in test.com domain.)

    Both company users email should be like this  user@xyz.com anduser@abc.com

    Anybody can help on this issue.

     

    Regards

    NIYAS.

    Niyas2000@hotamil.com

    Attempt was made to change a password

    February 12, 2013, 7:52 am
    $
    0
    0
    On one of my Domain Controllers at about 9.30pm every night I am seeing numerous 4724 events in the security Log. from the event details I cannot tell what is trying to change these passwords?

    An attempt was made to change an account's password.

    Subject:

    Security ID: SYSTEM

    Account Name:  ServerName$

    Account Domain:  EXAMPLE

    Logon ID: 0x275ad6d4

    Target Account:

    Security ID:  EXAMPLE\wanderson

    Account Name: wanderson

    Account Domain:  EXAMPLE

    Additional Information:

    Privileges -
    Search

    Issue with Microsoft MSMQ service after system reboot

    February 12, 2013, 9:05 am
    $
    0
    0

    We have a client with a problem on one of there servers following a reboot of the systems. This is what we have:

    - (2) AD servers running Windows 2003 R2 Standard
    - (1) Windows Server 2003 R2 file server with MSMQ installed (a few message queues going to other systems)
    - (1) Windows Server 2008 R2 file server with MSMQ installed (same as above, just a few message queues to other systems. Nothing high volume)

    The servers are set to reboot weekly.

    - 1 AD server reboots at 2a and is back online by 2:05a.
    - We reboot all of the other systems at 2:30a. We make sure there is always an AD server online at all times.

    Upon reboot on only the Windows Server 2008 R2 system, we see the following event message in the event logs:



    		7:28:34 am 12-Feb-13 LsaSrv None 40961
    		SYSTEM 
    The Security System could not establish a secured connection with the server ldap/hill-ad2.HillInternal.local/HillInternal.local@HILLINTERNAL.LOCAL. No authentication protocol was available.


    		7:52:49 am 11-Feb-13 Microsoft-Windows-MSMQ None 2016
    		N/A 
    The Message Queuing service is not online with Active Directory Domain Services, since the service properties cannot be retrieved or set. The service will attempt to retrieve and set its properties in a few minutes. Error 0x8007203b: A local error has occurred.


    These messages do not happen on the other Windows Server 2003 R2 system with MSMQ. I checked the other systems onsite and no other system or service is reporting problems connecting to AD.

    Before I open a case with support, I thought I'd post it here and see if anyone has any ideas about this.

    Regards,
    Jon

    Home drive not mapping, others are, on some Windows XP

    February 11, 2013, 12:18 pm
    $
    0
    0

    Got a weird one, as most of the issues I have to resort to the forums for are.

    Server 2008r2 Domain. (Server 2003 functional level since we have branches with 2k3 servers)

    Windows 7 clients work flawlessly.

    Windows XP, for the most part, are working flawlessly as well.  I have a couple, however, that fail to map the user's home drive.  Other drives, defined in Group Policy, are working.  Just the home drive is failing on these two machines.  User logs in elsewhere, they have a home drive, so it's not the user account.  Other users log in to either of the two affected machines, they don't have a home drive.  It's definitely related to the computer.  Just not sure what the problem is.

    All my XP are SP3 and most are up to date as of the latest patch Tuesday, at least as far as critical updates are concerned.

    I can map the drive manually, so that part of it is working.  User has no trouble accessing what's on the drive, so it's not a permissions issue either.

    I'm hoping someone can offer a solution.

    Please, no cookie cutter responses.  I don't have time for those.

    Thanks

    GPO breaks metro apps

    January 8, 2013, 8:37 pm
    $
    0
    0
    Ok so my metor apps don't work on a domain PC that has the default domain policy applied.  if i block the Default domain policy as soon as i join the Pc to the domain the apps will continue to work.  If i take a new win8 pc and let the default domain policy be applied then it breaks the apps.  So i want to roll out win8 to sooem users but not if Group policy breaks the apps.  How can i further narrow down what policy is breaking this.  thanks.  

    Domain login problem

    February 8, 2013, 2:57 am
    $
    0
    0

    I have a small forest with a root doamin and a child domain with two DCs in each domain.

    The first DC (PDSvr1) has the roles PDC, RID, Infrastructure, DNS, WINS, DHCP.

    The second DC (PDSvr2) has the roles Catalog, DNS, WINS.

    When the network status is OK there is no problem to login to the domain for users as well as directly on the server console.

    However when there is a network problem between the two DCs users can not login even thoug they have network connection to either DC.

    The most weird thing is that is not possible to login at the PDSvr1 console either. I would expext that the PDSvr1 locally has all information it needs to verify/authenticate the admin user login.

    When the network connection between the two DCs is OK again, the logins also work OK again.

    The same problem applies for the servers and users in the child domain.

    Can anyone explain this phenomena?

    Need help troubleshooting account lockout

    February 12, 2013, 7:51 am
    $
    0
    0
    I'm using ALTools to troubleshoot account lockouts, but when viewing the event viewer on the domain controller for some users the caller machine name is \\mydomain.com. Any idea where that is coming from? For one user it is happening every 4 minutes. She uses a lot of different workstations and devices so it's difficult to isolate it to one, except I had her turn off the one she normally uses and the account still locked, so it's not that one.
    Viewing all 2536 articles
    Browse latest View live
    Search