HI

Running Windows 2003 DC's and I am seeing the following errors in the Event log:

"During the past 4.25 hours there have been 185 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise"

I checked out the corresponding logs which showed client connecting with "'NO_CLIENT_SITE:" which infers they're in a subnet which has not been defined in AD Sites and Services.

Is this something to worry about? Am I correct in thinking that they would connect to the nearest site anyway?

hi,

today we are observing many sessions from clients to a DC / DNS (all 5 roles on it) on port 389

they have an about 2MB session on this port (like they are getting something from it)

but as the port is 389 i do not have an idea what are these connections

Antivirus is updated on all of them and ... ! no new policy, not any change ..

what can be this traffic ?!?!

Hello there-

We are running 2003 domain functional level.
I got a request to secure an OU and the user objects within, to be used for terminated users... The idea is to
1. prevent anyone (except for one custom security group) from being able to enable users after they have been disabled (even account operators and DAs shouoldn't be able to enable the disabled users by default)
2. we also don't want the operation above to affect the ability to send email messages to this disabled user
3. and we still want users to be able to lookup the user account in ADUC, read all attributes (except the enabled/disabled status-if possible)

Here is my experience:
Taking ownership of the user object and setting up "deny all" permission for "everyone" group seems to take care of the first point, because then only "owner" is able to see/modify the security permissions for that users object which is good BUT the issue with that exchange will disconnect the mailbox most probably beause it is unable to read the user attaributes! and noone can view the user object attribute in ADUC (in fact even the user icon will change in AD!)

I tried different scenarios like:
- Take ownership of user object, setup "deny all" Except "Read" permission, I noticed just by leaving the Read permission unckeched any user/group who has full access rights on the user object can modify the security settings and/or take ownership (that's when I realized it doesn't take most restrictive permissions!)

I am looking for the shortest most reliable with easy roll back methos to achieve this ... can you please help?

Ali Beeai

Hello, 

I'm trying to delegate the ability for our support staff to edit the location field of computer objects in our default Computers\Workstations OU. When I try to do this, I can't find the attribute Location. The picture below illustrates the computer object location field as seen through ADUC, the location attribute name under attribute editor, and where I am unable to find it under advanced security on our Workstations OU. 

Thanks for the help! 

I need to change ADLDS structural type objectClass hierarchy after data insertion. both are structural and customize objectClasses.

Can we do this in ADLDS?

Thanks in advance.

Our domain is currently Windows 2003 Domain/ Functional level. It's composed of Windows 2003 DC's and Windows 2003/2008 member Servers. We have one domain/one forest.

We've added some Windows 2012 Servers for testing purposes - these will probably go live at some point in the future too.

These 2012 servers are member servers only, not Domain Controllers and are in a separate OU for the moment. However, what we're noticing is that they're not applying the GPO's we've set for that OU (Computer GPO's).

Has anyone seen this before? The GPO's for all the other OU's are being and have been applied fine.

Hi,

we have an application which we want 3rd parties to use to authenticate using their own active directory domains.

can we install ADFS without active directory? and allow 3rd party SSO access to our application?

Denis Cooper MCITP EA - MCT

Greetings to everyone

This kind of situation - In our company we have several windows servers with its roles.
We also have active directory server and of course border server (DMZ or the server which
distributes internet to internal network with filtering). Border server stands in the middle
of our internal network and internet and shares internet through Kerio Control, and AD server
is inside. We have very few workstations that are registered in domain controller and here are
the main problems -

AD server is connected to local network. AD server has internet access
(for antivirus update). AD server also inherits time from some unknown server.

1.When I configure w32time to inherit from some other server , it keeps the configuration but no
effect at all the time pluses 4 hours each week. What to do ?

2.When I change DNS and GW configuration on AD server the whole network stops having internet
access by the time when internet is distributing other physical server with Kerio Control software.
What is happening there ?

I need to synchronize AD with Armenian local time server so every week I will not roll back the time for
4 hours. The second - why AD is connected with internet sharing. The IPs on AD is changed - internet is out.

I have a lab configured with a single domain controller and one client server.  Both servers are Windows Server 2008 R2 Standard and the functional level of the domain is Windows Server 2008 R2.  After I promoted the domain controller, I did not make any changes to the default domain policy GPO.  My problem is this:  I created a Managed Service Account and a regular user account and tried to use both of these accounts as logon accounts for the "Disk Defragmenter" service on my client server and domain controller.  Each time it failed with the following error:

In the system event log:

I also tried moving the client server into a custom OU and blocked inheritance of all parent GPOs, but this did not work either...same error.

I'm assuming the problem lies with the Default Domain group policy and Default Domain Controllers group policy, I'm just not sure which setting.  I'm at a complete loss, so any help is greatly appreciated.

jason

Ok, so I've read several of the other posts and it sounds like for the majority of users the answers apply.

Multi-home dc's with dns not supported pick and interface and ip - not applicable

TDI hotfix for r2 http://support.microsoft.com/kb/2028827 - not applicable

Potential SCOM Agent, uninstall Agent - problem persists

Set zone to non DI - Not tried, relevance?

Change order of DNS servers in DNS tab on interface - problem persists

So for starters, I have 7 DC's in three sites. Two of my DC's are also DNS Servers, each of these DNS servers have multiple adapters, all adapters but one are disabled. Each server has a single statically assigned IP address. I have gone through the BPA for DNS and am down to just a single issue, i need to enable scavenging which is how this all started.

I was getting ready to turn on scavenging and popped into the dns logs to see what was what and was presented with thousands of little red dots :( lots of 404's and 408's. As I started looking into this I saw a very promising article that it may be a bug in TDI, and found a relevant hotfix for 2008R2, sadly this hotfix doesn't apply to my servers, most likely because they are sp1. The fileversion info didn't match up, so the fix wouldn't apply.

I then started to make sure that between the two servers they are were set up the same. Each server lists itself as the primary dns server, it's partner as secondary, our campus dns (slave) as third and 127.0.0.1 as fourth. Now I included the loopback because the BPA said it should be in there just not as first, when I re-ran the BPA it said hey, put the loopback in there just not as first...see the loop?

Then I started looking at the zones, and made sure that the config for each zone was the same. We host 4 zones for child and external domains. All zones were setup the same, and all are AD Integrated. One recommendation was to disable AD Integration and see what happens, which seems silly to me, they obviously are working new computers can be added without any issue.

I set the socketpoolsize and cachelockingpercent to be identical for each server.

dnscmd /Config /SocketPoolSize 10000

dnscmd /Config /CacheLockingPercent 100

I have set each server to listen to it's IP on it's adapter, I have bounced DNS several times.

Some things to note, i occasionally get a report that RPC is not available. We have an hourly cron that checks replication status and errors, and on occasion I will get an email that lists one of the DNS servers as not being available.

I have run dcdiag and not seen any errors that seem to relate back to this, mostly I get messages about about missing trusts from client computers, some differences in zones because this domain was recently upgraded to 2008 r2, i think they changed how the _msdcs zones show up.

I am also seeing some odd messages from schannel, but I don't know if it's related. The following fatal alert was received 48. I've not seen anything about that as pertains to a DC mostly just your iis server has an invalid cert. I've checked certs on the DC's and they look ok to me...but i'm not entirely sure what i should be looking for.

I will be happy to upload any info anybody requests. I think what a lot of folks tend to ask for first is ipconfig so here it is from both servers. I'm going to change hostnames, domain names, and ip addresses.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC-04
   Primary Dns Suffix  . . . . . . . : ku.edu
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ku.edu

Ethernet adapter Public Network [192.168.3.66]:

   Connection-specific DNS Suffix  . : ku.edu
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #8
   Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.3.66(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 192.168.3.94
   DNS Servers . . . . . . . . . . . : 192.168.3.66
                                       192.168.4.200
                                       192.168.2.1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC-06
   Primary Dns Suffix  . . . . . . . : ku.edu
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ku.edu

Ethernet adapter Public Network [192.168.4.200]:

   Connection-specific DNS Suffix  . : ku.edu
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #12
   Physical Address. . . . . . . . . : BB-CC-DD-EE-FF-AA
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.4.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.128
   Default Gateway . . . . . . . . . : 192.168.4.254
   DNS Servers . . . . . . . . . . . : 192.168.4.200
                                       192.168.3.66
                                       192.168.2.1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

Hey People,

just discovered this today, the browser version checking in certsbrt.inc makes the assumption that IE has a single digit version number.  This means that it thinks that IE10 is actually IE1, which means it decides to relegate it to unsupported.

There seems to be two ways to fix this:

1. In IE10, open the developer bar and set the browser to IE10 Compatability view(instead of IE10 mode).

2. Alternatively, modify the version check in certsbrt.inc to something like:

Function IsOldMSIE(sHttpUserAgent)
   Dim nMSIE
   Dim sMSIEVersion
  
   nMSIE = InStr(sHttpUserAgent, "MSIE")
  
   If nMSIE=0 Then
      IsOldMSIE = False

   ElseIf nMSIE+5 < Len(sHttpUserAgent) Then
      If CInt(Mid(sHttpUserAgent, nMSIE+5, 1)) = 1 Then
        sMSIEVersion = Mid(sHttpUserAgent, nMSIE+5, 2)
      Else
        sMSIEVersion = Mid(sHttpUserAgent, nMSIE+5, 1)
      End If
      IsOldMSIE = CInt(sMSIEVersion) < NEW_MSIE_VERSION

   Else
      IsOldMSIE = False
   End If

End Function

It probably needs to be smarter than that, but it should cover you for up to IE19 :)

I haven't checked, but I'd like to think this has already been fixed in the svr2012 AD Certificate Services edition.

Later'ish
Craig

I've an existing W2008R2 domain, and I'm trying to create a new child domain using W2012 std. The new server is on a remote subnet, connected via Wan, without any firewall or security filter. It can connect to the existing domain controllers (ping, network share, and so on.. all works)

I start the wizard, and it confirms that environment is ok. Then it stalls when working on "active directory synchronizing". It reports a serie of 1963/1961/2839/1962/1125 event ID errors, then after a while it starts back reporting the same serie (it loops to check if problem are solved I think).

I cannot find any way to understand why it cannot complete the dcpromo.

Any idea?

Thanks

Hello Experts,

I am in doubt with respect to take AD snap shot or Clone for the test lab. I have written it bit lengthy and please go through it.

In our production environment, AD DS is running on Windows Server 2008 R2 (VM Boxes) and I have been asked to provide a replica of “Production AD” for internal testing.

I have a feeling that I could do this by easily creating a "Test user account" and grant Admin access (well, the testing is based with edit schema so will add the account in Schema admin and enterprise admin group, and take copy of schema role DC. I will then wait for replication to complete and will remove the test account once the AD snap shot has been taken )

But of course I did searching but had end up with different suggestion, as some mention that AD backup image is the best choice because of USN roll back occur while copying the AD.

My concerns are numbered below, correct me if I am wrong and please provide expert advice respectively.

1, I don't think USN roll back make any issue here , since this snap shot or clone of root DC is going to be used purely in the test lab.

2, I will install new blank VM and map the AD clone (Will make sure that it will be in different switch /VLAN)

3, I believe that I can able to login clone /snap shot DC with newly created test account after connected to virtual switch ( It shouldn’t connect to production ) and DNS on schema master is pointing to its own IP address  , so AD can query with proper SRV records in DNS.

This ends with copy of AD for test Lab queries and next is

4, Total different option and I been heard that restoring from AD ( Windows Image ) is the best approach to create an test lab, but I think it would take more effort as I need to convert the  Image ( VHD ) to VMDK ( VMware ) first and also search for some bootable CD, since backup image will not have bootable files.

At the end, I would like to know what is the best approach to have an Replica of "Production DC" for internal testing. Thanks in advance for the valuable suggestions.

Rahul

Can anybody elaborate what exactly child domain and tree domain.??

as per i know both child domain and tree domain will not having ent.admin and schema admin. 

What is the actual difference between child domain and tree domain.?

Thanks in advance.. :)

Warm Regards,

Anil Kumar

Hi-

Our Primary DC - holds all 5 roles/GC - is a Win 2003 R2 w/ 2008 schema.

We also have a file/Print Server that is a GC w/ "no" roles now and needs to be demoted.

We just want the Windows 2003 File/Print Server to be a memeber server.

However - I've just read this article about demoting an AD server and permissions being affected:

http://support.microsoft.com/kb/320230

Would this process - dcpromo /forceremoval or just dcpromo - demoting cause an issue with our user's file permissions on our D: Drive?

Thaks for your help.

-P

Hi,

We are having performance problems with our setup, which looks somewhat like this :

Everything is running under Windows Server 2008 R2 SP1

• Domain A (internal)
  • IIS Server hosting apps and web services
  • Databases, etc...

• Domain B (external)
  • IIS Server : AppPool running under an account from Domain A. The App running on this server consumes resources/web services running on the IIS Server in Domain A 

There is a trust between Domain A and Domain B where resources authenticated in Domain A can use resources in Domain B.

So…

Under this setup, when we access the application running in domain B, the performance is poor.

We tried a bi-directional trust: same poor performance.

We tried a bi-directional trust, but used an account from Domain B to run the AppPool instead of an account from Domain A : great performance.

We noticed that when the AppPool is running with an account from Domain A, there are A LOT of authentication request between Domain B (source) and Domain A (destination). So much that this is probably (surely) the reason why the performance is poor when we use a Domain A account to run the AppPool in Domain B. Since there is trust between the domains, why are these request so frequent? What can be done to correct the problem and solve the performance problem?

Thank you,

Éric

One of my server is frquently getting disjoined to the domain. After reboot the server it get automatically joined in the domain. My users are able to login this server after reboot.After shortwhile again it creats the problem and while log on it shows "Domain is not available" error.

Symantec antivirus server is installed on this server. Below is the details descprition on this server.

OS:- Windows Server 2003 X64

I have run the port query to this server i am getting the below winsock error while querying to local or domain controller address.

=============================================

Starting portqry.exe -n 127.0.0.1 -e 135 -p TCP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 135 -p TCP exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 389 -p BOTH ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 389 -p BOTH exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 636 -p TCP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 636 -p TCP exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 3268 -p TCP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 3268 -p TCP exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 3269 -p TCP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 3269 -p TCP exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 53 -p BOTH ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 53 -p BOTH exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 88 -p BOTH ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 88 -p BOTH exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 445 -p TCP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 445 -p TCP exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 137 -p UDP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

UDP port 137 (netbios-ns service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 137 -p UDP exits with return code 0x00000001.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 138 -p UDP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

UDP port 138 (netbios-dgm service): NOT LISTENING
portqry.exe -n 127.0.0.1 -e 138 -p UDP exits with return code 0x00000001.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 139 -p TCP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 139 -p TCP exits with return code 0x00000063.
=============================================

Starting portqry.exe -n 127.0.0.1 -e 42 -p TCP ...

Querying target system called:

127.0.0.1

Attempting to resolve IP address to a name...

IP address resolved to test.abc.com

querying...

Cannot use specified source port
Winsock error 10055

portqry.exe -n 127.0.0.1 -e 42 -p TCP exits with return code 0x00000063.