Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

unable to transfer roles from DC to ADC in windows server 2008

February 21, 2011, 10:00 am
$
0
0

hi sir/madam in my PC i have windows server 2008 sp1 32-bit OS.i installed it in my hard disk and also i installed another windows server 2008 sp1 virtually..the OS which i installed in hard disk is my "Domain Controller " with PC name as 'SUNNY ' and the OS which is installed virtually is my "Additional Domain Controller " with PC name as 'BUNNY ' when i am transferring roles from Domain Controller to Additional Domain Controller i am getting the below error message so can any one tell me what is the solution for this....

 

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserv

C:\Users\Administrator>ntdsutil
ntdsutil: r
fsmo maintenance: c
server connections: Connect to server BUNNY
Binding to BUNNY ...
DsBindWithSpnExW error 0x6ba(The RPC server is unavailable.)
server connections:

Bhaskar
Search

Script request

May 10, 2011, 8:16 am
$
0
0

Hi

Im after a script which will run a query against 50 users i have listed in a text file. (i have the users accounts in a SamAccount format) - I have a 2008 AD Domain.

I need to query each users group membership inc nested groups and also need it to pipe out the results into a csv if possible.

Thanks in advance.


Known issues with server 2008 on a 2003 Domain Controller running in 2000 mixed mode?

October 18, 2012, 9:55 am
$
0
0

Hi

We are having numerous issues within our 2003 domain with our 2008 terminal servers, we have been advised that this is primarily due to the fact that our Domain controller is running on functional Level Windows 2000 Mixed.

Can anyone confirm that this could cause various issues?

We are unsure and feel this is might be a bit of 'get out of Jail' for our external support company, we have asked them to log a call with Microsoft but they are hesitant to do this.

Thanks

Assign two IP addresses on domain controller

October 18, 2012, 7:21 am
$
0
0

I am bringing up two new Domain Controller (Server 2008R2) which will take over all FSMO roles from older 2003 DCs which will be retired. Our domain controllers are also DHCP, DNS, and WINS servers for our network. The retiring DC is the primary DNS and WINS server for this site. Obviously the new DC will have a new IP address since it needs to be brought up in the presence of the old one. I do not relish the thought of spending hours updating many statically-configured servers and devices to use a new primary DNS and WINS server address, so the thought I had was to add the old DC's IP address to the new DC after the old one has been shut down. So I'd end up with two IP addresses on the new DC (they are in the same subnet, not multi-homing). Is this supported on a DC? Any potential problems/gotchas?

I kept getting Event ID 8003 Browser error and event ID 4319

Thanks in advance for any suggestions.

SBS 2008 cant log in with admin account

October 18, 2012, 8:55 am
$
0
0
Hello,
I have SBS 2008 intalled on my server. Yesterday it installed updates, now I can't log in using my administrator account (It says wrong username and password). The only way I was able to log in with my credentials is trough SAFE Mode. 
The server is used as a Domain Controller, MS Exchange and Files and Printer Sharing. None of those process are working properly. I can access any of the mapped drives at users computer and Office is not connecting to MS Exchange. 
I appreciate any help you can give. Thanks. 

Active directory client on remote server

October 18, 2012, 1:10 pm
$
0
0

Dear

  is i can connect computer client to remote active directory and what the speed wanted

What if schema update goes wrong and corrupts schema

October 18, 2012, 7:15 am
$
0
0

I'm preparing to update the schema for an Exchange 2010 install.  I have to go through a change control process and the question came up of what happens if schema update fails and corrupts the schema.  Would active directory suddenly stop working?  Would people still be able to authenticate but no new objects could be added or objects modified?

Also how does the schema update process work?  I've read something on the forum somewhere here that basically if the update process fails during the update none of the changes prior to failure are committed to the schema?  Is that correct?

I've done schema updates for years and never had a problem and I'm aware of having to do a forest recover if something were to really go wrong.  It's just those that have to approve the change are afraid of their own shadows. :)

Thanks.

adprep /rodcprep error

October 18, 2012, 6:54 am
$
0
0

I am trying to run adprep /rodcprep.  I am receiving the following error:

Adprep found partition DC=DomainDnsZones,DC=corp,DC=********,DC=com, and is about to update the permissions.
Adprep could not contact a replica for partition DC=DomainDnsZones,DC=corp,DC=*********,DC=com.

Adprep encountered an LDAP error.
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).

Adprep failed the operation on partition DC=DomainDnsZones,DC=corp,DC=********,
DC=com. Skipping to next partition.

I received the same error for ForestDnsZones.

So I researched, and found this KB article:  http://support.microsoft.com/kb/949257

I created the fixfsmo.vbs script as they discuss.  I ran it on my domain controller for ForestDnsZones, and it succeeded.  However, I ran it for DomainDnsZones, and I then received the following error:

DNS name: DomainDnsZones.corp.*********.com
Using DC *currentdomaincontrollername*.corp.***********.com
infra fsmo is CN=NTDS Settings\0ADEL:965c468f-9ad1-4921-a670-f8dbba8bd2a4,CN=*servernameofdomaincontrollerthatnolongerexists*\0ADEL:8ba3a1a1-9dee-4043-a143-9571bac9f36c,CN=Servers,CN=*sitename*,CN=Sites,C
N=Configuration,DC=corp,DC=*domainname*,DC=com
C:\Users\dhumes\fixfsmo.vbs(42, 9) Active Directory: The server is unwilling to process the request.

Can someone assist?

Thanks,

Search

Windows Server 2008 schema upgrades. What impact on external trust relationships does this have?

October 18, 2012, 8:14 am
$
0
0

I am dealing with three domains.  One of which I control, the other two have External type non-transitive trust relationships with ours.  Our domain is at Server 2003 functional level and I am not sure about the other two domains, although it is very likely that they are at that level or earlier; so probably not at Server 2008 or above.  We need to do a schema upgrade so we can migrate our DC's to 2008 and beyond.  (Also we're interested in the Linux integration options that become available with the 2008 schema.)  Our dcdiag and netdiag reports are clean.

Although it's clear from the whitepapers that describe 2008 that the trust relationship model is different in 2008, no one anywhere is talking about what kind of prep work or coordination needs to happen when we upgrade our schema.  Will it break our trusts?  Will we need to tweak something?  Do we need to make sure some configuration, like functional levels or FSMO roles are arranged properly?  

Any advice or info you can point me to would greatly appreciated.

Auditing logon from which machine?

October 18, 2012, 3:38 am
$
0
0
I know that i can audit logons/file access but is there a way to tell me where users are logging on from (ie machine name when using RDP) and which machine they have accessed a file from?

configure adapter with ADs installed at different machines

October 18, 2012, 4:51 am
$
0
0
hello everyone,

i have a TIM5.1 installed at one machine and two windows server 2003's active directories installed at two different machines and have a 4rth machine at which i have installed adapter WinAD-5.1.9.

now i want to configure this adapter with these two active directories ...how can i do this ?
please anyone have information, share with me..

thank you in advance .
regards,
Shoaib hashmi

Is there a specific meaning for "account alias" in the context of Active Directory?

October 18, 2012, 2:14 pm
$
0
0

Account alias was used to describe accounts identified in Active Directory, which is not limited to users; groups and computers have “account aliases” as well.

Is this a recognized term in Active Directory, or is this a general term with many other and different meanings? (It is used in relation to general ledger accounts, for instance.) 

Is there a better standard term for Active Directory accounts?

Active Directory Web Services Service will not start

October 18, 2012, 2:35 pm
$
0
0

The Active Directory Web Services service will not start on a 2008 R2 server with Exchange 2010.

System Specs: 
Dell PowerEdge T310
Dual Xeon 2.67GHz X3450
24Gb DDR3 RAM
Perc h700/1Gb BBWC 8 disks/ 3 volumes
Server 2008R2 SP1 Rollup 3
Exchange 2010 SP1 Rollup 7

Server has been in production since Jan. 2012 with no issues.

When attempting to start the service manually, I am presented with the error "Windows could not start the Active Directory Web Services service on Local Computer.  Error:1053: The service did not respond to the start or control request in a timely fashion."

Upon inspection of the error log, I see the following errors after a start attempt:

System:
EventID 7009
A timeout was reached (90000 milliseconds) while waiting for the Active Directory Web Services service to connect.

EventID 7000
The Active Directory Web Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

There are no log entries in the Application log, and there hasn’t been an entry in \Active Directory Web Services log since the end of last month. The last entry is:

EventID 1004
Active Directory Web Services has successfully started and is now accepting requests.

As far as I can tell by looking at the logs and checking AD and Replication, DNS, DFS, and everything else, all systems seem to be working except for ADWS.

I have done the following (in addition to hours of searching and research):

I added “<add key="DebugLevel" Value="Info" />” and “<add key="DebugLogFile" value="C:\ADWSLog\Adws_trace_log.txt" />” to the Microsoft.ActiveDirectory.WebServices.exe.config to enable logging, but the service doesn’t seem to be logging anything.

I have copied the “Microsoft.ActiveDirectory.WebServices.exe” file from another working server.

I have export/imported registry keys from a working server.

I attempted to re-register the ADWS DLLs.

I have uninstalled/reinstalled hotfixes installed immediately prior to the point when the service stopped.

After that I installed all current updates to the system.

I am at a loss here, I have no idea what else to try.  I’m looking for any help or suggestions.

Thanks.

Active Directory Certificate Services could not find required Active Directory information.

October 18, 2012, 4:00 pm
$
0
0

Hello I just installed an AD CS server (2008r2) Into my 2008 domain. I'm trying to issue a web server certificate that allows exporting (I copied the default template and enabled exporting).  When I log into the certsrv web interface (as a domain admin) and request that certificate I get:

our certificate request was denied.

Your Request Id is 4. The disposition message is "Denied by Policy Module 0x80070576, Active Directory Certificate Services could not find required Active Directory information. ".

Contact your administrator for further information.

Any ideas? Hope it's something simple!

Let me know if you need more information.

--Will

Technical description of how a member server determines its site

October 18, 2012, 3:27 am
$
0
0

Hi there,

We are experiencing some interesting behaviour when deploying a member server into a firewalled zone. Below is the scenario:

We have 2 AD sites configured, internal and B2B. The internal AD site contains all of our RWDCs (mix of 2003 R2 and 2008) while the B2B AD site is firewalled and contains two RODCs only. The RODCs (Win 2008) in the B2B network zone are able to replicate and communicate to the internal RWDCs successfully but member servers in the B2B zone cannot connect to the RWDCs in the internal zone due to the firewall.

When we build a new server (2008 R2), we install the SOE when it is on the internal zone and with an IP that is within the internal AD sites ranges. After joining the domain, we are able to login with domain credentials as you would expect. After the server is built, we move it into B2B zone and then modify its IP address.

After this we are unable to login with domain credentials. When executing "nltest /sc_query:domain" it reports that no logon servers are available. "nltest /dsgetsite" reports that it is still in the internal site, even though its current IP is within a range that falls under the B2B AD site. DNS is working fine (directed to the RODCs in the B2B site) and the server is able to ping and telnet on 389, 636, etc to the B2B RODCs. 

After inserting a SiteName registry value under \\HKLM\System\CurrentControlSet\Services\Netlogon\Parameters forcing the member server to acknowledge it is in the B2B zone, we were able to successfully login with domain credentials. 

What I'm specifically trying to understand is the process that the server takes in order to determine that it has changed IPs and therefore AD sites and what it is that could be preventing the server from dynamically discovering its new site and seeking out the RODCs for authentication?

Thanks in advance for any input!

Search

NameErr while connecting ADAM service using ADSI Edit

October 15, 2012, 1:58 pm
$
0
0

Hi,

I have ADAM installed in server to extend BladeLogic schema for software deployment. I have local admin access also on the server. While connecting ADAM paritition using ADSI edit, I get following error.

Operation failed.Error Code: 0x208d
Directory object not found

0000208D: NameErr:DSID-0310020A, problem 2001
(NO_OBJECT), data 0, best match of:
 'DC=bbca,DC=test'

Can someone help me why I get such error while accessing ADAM partition ?

---Subramani

Subramani

Changing back to strong password complexity, password age and password length - Advice?

October 18, 2012, 7:39 am
$
0
0
 

Hi All,

In the near future I am looking enforcing strong password complexity, one month password age and a minimum password length in my domain.

Currently there are no password requirements for the domain.

What will the users see after I make the changes?

Say my current password is: password  , And I try to log into a machine on the domain after I have updated these policies. Will I be asked to change my password? or will it just wait until I need to change my password and tell me I need to use complexity?

Also will everyone need to change their password on the same day, in 1 months time? 

Also am I right to that you can only have one gpo in the domain with these settings? eg the default domain policy?

Thanks

Changes to AD users not 'sticking'

October 18, 2012, 7:17 pm
$
0
0

Recently I've discovered a bizarre issue on my domain.  I've created a script to populate the EmployeeNumber field on our users.  While it is hardly best practice, I developed the script by targeting my own account.  Once it was behaving as I wanted I attempted to run it against other accounts.  To my confusion, the script runs without throwing any errors but makes no change to the user accounts.

I have tried several different scripts now and the behavior is always the same.  One example of the script is provided below:

$objUser = [adsi]"LDAP://$dn"
$objUser.put("employeeNumber","$($SQL_SN)")
$objUser.SetInfo()

I've checked the permissions on the AD objects and everything looks fine there (i.e. no deny perms that would apply to my account).  I am in the Domain Administrators security group so nothing should be blocking there.

What is even more puzzling, I can modify this field on other domain admins without problem using the same script, just not none-administrative users.

I would greatly appreciate any suggestions for solutions that I might be able to try.

Samuel

Cannot demote domain controller - error listed.

October 18, 2012, 10:11 am
$
0
0

DCdiag was returning a ton of errors so i decided to remove this recently added Domain controller but when I go to do it I get the following error.... 

The operations master roles held by this directory server could not transfer to the following remote directory server.

Remote directory server:
\\VOLPIMASTER.volpifoods.com

This is preventing removal of this directory server.

User Action
Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.

Additional Data
Error value:
5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
Extended error value:
0
Internal ID:
52498735

       

Lower Domain and Forest Functional Level - 2012 to 2008R2

October 18, 2012, 8:34 pm
$
0
0

Hello,

I recently installed a new domain and have the current functional level set to 2012. I have been troubleshooting getting exchange 2010 to work on a server 2012 machine for awhile now, and want to lower the domain functional level so that I can add a 2008R2 server and run exchange from there.

I found these commands to lower the functional levels and the errors generated are below them:

- Set-ADDomainMode -Identity domain.local -DomainMode Windows2008R2Domain

              Set-ADDomainMode : The functional level of the domain (or forest) cannot be lowered to the requested value
              At line:1 char:1
              + Set-ADDomainMode -Identity domain -DomainMode Windows2008R2Domain
              + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 + CategoryInfo          : NotSpecified: (domain:ADDomain) [Set-ADDomainMode], ADException
                 + FullyQualifiedErrorId : ActiveDirectoryServer:8642,Microsoft.ActiveDirectory.Management.Commands.SetADDomainMode

- Set-ADForestMode -Identity domain.local -ForestMode Windows2008R2Forest

              Set-ADForestMode : A referral was returned from the server
              At line:1 char:1
              + Set-ADForestMode -Identity HCBC  -ForestMode Windows2008R2Forest
              + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  + CategoryInfo          : ResourceUnavailable: (HCBC:ADForest) [Set-ADForestMode], ADReferralException
                  + FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.SetADForestMode

Can anyone help me with downgrading the domain? Or possibly how I can get around this by recreating things? Thank you in advance.

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>