Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

AD Users and Computers "A global catalog (GC) cannot be contacted" Server 2008 R2

February 26, 2013, 4:11 am
$
0
0

Hi all, I have been troubleshooting this on and off for a while and am resorting to asking for help. On one DC out of 4, when I open AD Users and Computers, an object, for instance a user, click member of. I get the error:

"A global catalog (GC) cannot be contacted. A GC is needed to list the objects group memberships"

Despite this error everything seems to work as normal. A similar error is returned when creating a user.

In the event log there are several events where the DC has sucessfully contacted a GC in the domain. I have also used telnet to connect to the GC's on port 3268 to confirm network connectivity. As part of a microsoft troubleshooting document I found, I opened AD and selected change domain controller, typed the FQDN of a DC and added port :3268. This brings back the status of "Unavailable". Adding the server without specifying the port shows a status of "Online"

Has anyone seen anything similar to this?

Search

disappear or delete RODC a host record in DNS

March 3, 2013, 11:05 pm
$
0
0

Hello All!!!

I have Windows Server  2008 R2 Sp1 Active Directory

1 Site  DC1(10.10.10.1) and DC2(10.10.10.2)

2 Site DC3(RODC + DNS) (192.168.1.1, 192.168.2.1) 

DC1 and DC2 can connect DC3 over 192.168.1.1 LAN interface but can not connect over 192.168.2.1

I created a host record for DC3 in DNS on DC1 or DC2 for interface (192.168.2.1)

There are 2 record In DNS now 

Host(A) DC3 192.168.1.1

Host(A) DC3 192.168.2.1

I have some problem after some time the record 192.168.2.1 disappear or delete on Dc1 and DC2 after this and on DC3

dcdiag and repadmin passed and all replications is ok!!! There is no any errors.

Why DC3 192.168.2.1 Host(A) deleted?

I haven't idea why it happened!!!!!

Can anybody help me?

Global Catalog replicated attributes

March 7, 2013, 4:13 am
$
0
0
is there any way to list all schema attributes that replicated to "or knowing  by" GC, using LDP ??

Minium port requirement for selective trust

March 6, 2013, 11:12 pm
$
0
0

When I need to create selective forest trust with minimum ports
I need following

http://pberblog.com/post/2009/11/07/Creating-a-2003-AD-domain-trust-through-a-firewall.aspx

Port Protocol       Service

================================

53   TCP/UDP        DNS

88   TCP/UDP        Kerberos

389  TCP/UDP        LDAP

445  TCP            SMB

If I like to validate trust I need
http://technet.microsoft.com/en-us/library/cc773178.aspx

135/tcp and 135/udp and 49152 - 65535 TCP

Trust allow to authenticated

“Grant the Allowed to Authenticate permission on computers in the trusting domain or forest”

http://technet.microsoft.com/en-us/library/cc738653(v=ws.10).aspx

That I can browse group form other domain and gibe allow it to authenticate permission

I need

3268 Global Catalog

135/tcp and 135/udp RPC

49152 - 65535 TCP Dynamic

Is there any restricted method than open 135 and upper ports? more secure way?
Or do I have to open those port that I can use secetive method?

I know that RPC ports can be restricted http://support.microsoft.com/kb/154596

Access File Recourse ports (Minimum)

http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/1219d421-fa13-40ea-9aeb-c385a6f3d3ae/

Only 445

Thanks for help!

Restrict AD view for specfic users

March 7, 2013, 1:51 am
$
0
0

Hello,

Env - Windows 2008 Domain functional level

We'd like to provide certain managers in departments with the ability to add and remove users from specific AD groups.

We know we can provide them with the Win 7 admin centre or AD UC and use delegate permissions to achieve this. However, is there a way we can restrict the view
so that users can only see specific groups?

Thank you.


Password Expiry Alert

February 28, 2013, 10:33 am
$
0
0

Hi Everyone,

I Would like to reduce the password expiration alert on all users to be alerting guys in 5days. ( i.e "Your password will Expire in 5 day, Do You want to change" - not more than this)

How do i accomplish from AD? Am running Forest & Domain Functional Level 2003 on Server 2003 R2 and  2008 R2 ADs.

Meshack

LNF user object replicating amongst GC's

March 6, 2013, 6:44 pm
$
0
0

Hi,

Scenario - 1X2003 forest with 14 domains

I had a user object (Tim) in the lostandfound OU of domain1 and used to be an active user in domain1.  A conflict had occurred and hence the LNF object.

It was deleted and no existence of it can be found in domain1 on any of it's DC's.

There are multiple AD sites configured and there is a core site that has a number of DC's from each domain.  In this core site there are DC's from domain1 which do not have the LNF object.  All the rest in that site have the object.

All DC's in the forest (200) are global catalog servers.  If I connect to any other DC's outside of domain1 using ldp.exe (using the GC port) and browse to their replica of domain1 the object "Tim" is found in the lostandfound OU.

I've tried re-hosting the domain1 replica on all servers in the core site using repadmin and pointing the server to one of the DC's in domain1 (also in the core site) to get the correct replica.  It does this and the object "Tim" is gone.  Then after around 5 mins the object appears back again.

So would I be right in saying that intrasite replication occurs and it gets the object back from one of the other DC's that still has the object???

I don't quite understand why the DC's in domain1 (which hosted the object originally) haven't forced their replica onto the rest of the DC's.

Am I making sense??  I need to get rid of this object completely.

Any help would be much appreciated.

Cheers Ron

How to create tow domain names in one server

March 8, 2013, 1:05 am
$
0
0

Greetings,

I recently set up an Exchange 2010 server on a server running Windows Server 2008 R2 and I have been trying to figure out how to change the domain name for the emails to be different from the machine domain name. To explain better here is what I am trying to do.

My Server is running the domain BFE.local but I am trying to have my email address domain as drinker@beerforeveryone.com. I remember there being a way to add a DN and select the DN in the User logon name properties in the Active Directory drop box. However, I cannot for the life of me remember how to do it and cannot find anything online on the how.

Can anyone help me?

Thanks

Search

Windows 8 and Default Domain Policy modification issue

March 8, 2013, 5:40 am
$
0
0

Hi,

I'm unable to edit the default domain policy from my new Windows 8 desktop.  It's the only Win8 in the environment so I'm not able to easily test another one unfortunately.  The error I receive is:

Group Policy Error

Failed to open the Group Policy Object.  You might not have the appropriate rights.

Details: The volume for a file has been externally altered so that the opened file is no longer valid.

I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account.  The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick out as having anything to do with AD management).

It only occurs if I click edit on the GPO.  I'm able to successfully view the policy and edit the permissions etc.  Have rebooted and the machine is current with patches as of now.

thanks

Andy

Cheers Andy

Configure a site with No DC

March 6, 2013, 7:45 am
$
0
0

Hi,

We currently have a domain with multiple sites. Each site has a DC. We are looking to reduce the amount of DC's on the network as not all sites need one, e.g. three users on one site with a DC. We want to set up a DC at our Data Center, and have the users authenticate to that. My question is how do we configure that site to use the DC in the data center?

Many thanks.

Add to DC

March 8, 2013, 2:24 am
$
0
0

Hi,

I have 2 different domain Controllers:

1) Contoso.com

2)US.contoso.com

I repeat both are 2 different domain controllers both are running with their own separate DHCP,DNS,AD. 

What i want to do is:

1)Add US.contoso.com to a contoso.com domain as a secondary DC.

how can migrate AD uers,DNS,DHCP because US.contoso.com having DHCP which distributes IP to Phones and desktop machines in US

and contoso.com distributes IPs to machine in India.

2)How can i keep this thing as it is even after migrating to Contoso.com

Please help out with this i am on this task and dont have much time.

Thanks,

Akshay Vithalkar
(MCTS) | Windows Server 2008 R2 Server Virtualization
(MCTS) | Windows Server 2008 R2 Network Infrastructure,Configuration
(MCTS) | Windows Server 2008 R2 Active Directory, Configuration
(MCITP)| Windows Server 2008 Server Administrator
(MCSA) | WindowsServer2008;

Reading/Modifying Users and Attributes with Active Directory Web Services on R2 2008

March 8, 2013, 7:39 am
$
0
0

Hello,

I'm trying to query/update users in Active Directory (e.g. return all attributes for cn=John Smith,ou=users,dc=fabrikam,dc=com, change attributes like manager, email address, display name), preferably through the use of web services, or HTTP GET/POST/PUT/etc.

I installed and configured DSML on a Windows 2008 R2 and it had exactly what I needed, without realizing the service has been deprecated.  Can I get that same functionality (send web service/http requests to query/update AD users) through Active Directory Web Services (ADWS)?  

I've been looking through all the documentation on MSDN (http://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx and others) but am still not clear if ADWS can replicate the same functionality through just web services.  I don't see that same functionality in the wsdl described here: http://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx.

Any help would be appreciated, thanks!

Richard Wolters

Edit:  I see you can manage AD information through a few different APIs (ADSI, LDAP API, System.DirectoryServices), and they give an example of reading/writing AD object attributes here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa746292(v=vs.85).aspx.  Can this be done through ADWS?




Moving ADFS DB to a Remote SQL Instance.

March 8, 2013, 8:06 am

Event ID 4776 - Source Workstation: \\computer

March 8, 2013, 8:06 am
$
0
0

We have a user that was locked out but never logged into the computer that is referenced in the 4776 events for the lockout.  The source workstation in the events is represented as\\abccomputer.  My question is why does the source computer look like a UNC path?  We have other 4776 events that are not that way - they just list the computer name.  We have checked the event log on the computer in quetsion and there are no security events listed for the user. 

Thanks,

Crystal

no sysvol_dfsr

March 7, 2013, 9:01 am
$
0
0

I have no Sysvol_dfsr folder,

 dfsrmig /GetGlobalstate give's me an eliminated state, but i can not replicate DFSR with repadmin /replsum /syncall

This is the output i get from repadmin

Replication Summary Start Time: 2013-03-07 17:54:58

Repadmin experienced the following error trying to resolve th
If you are trying to connect to an AD LDS instance, you must
If you are trying to connect to an AD LDS instance with wildc
Error: An error occurred:
    Win32 Error 8419(0x20e3): The DSA object could not be fou



Source DSA          largest delta    fails/total %%   error


Destination DSA     largest delta    fails/total %%   error

How can i get sysvol realy to migrate to dfsr (sysvol_dfsr)

Kind Regards

Gerard Schoenmakers

Search

New 2012 Active Directory Domain Setup, DNS Convention Question

March 1, 2013, 9:44 am
$
0
0
I'm setting up a new Active Directory Network from scratch for a client
with 2 Server 2012 DCs. Haven't setup 2012 yet - first DC setup.

I've
always setup 1 office Active Directory Domains with just a 2nd DNS
namespace like "domain.local" - not "corp.domain.local". I'm not
familiar with setting up multiple offices and linking them up, etc.

With
this particular setup, it might be possible in the future that remote
offices will be linked to the internal domain in some fashion.

With that in mind, here are my questions:

1)
is it smarter to start the setup with a third domain namespace like
"corp" for the headquarters if you're going to have remote offices in
the future?
2) Or can you easily change it in the future so it doesn't matter right now?
3)
Also, I've seen on all of the Microsoft examples online that they're
only using ".com" for their internal domains, I know you can do this but
I've always just stuck with ".local" to keep things simple and
separate. With 2012, is there a change to this?

Thanks.

Icrease forest functionality level to 2003

March 8, 2013, 9:35 am
$
0
0

Hi,

I am in the process of increasing our forest functional level to Windows 2003 from Windows 2000 as part of a domain cleanup. 

We have 1 SBS2003 server, 1 Windows 2008 and 2 2008 R2 servers and the plan is to install another DC with Windows 2012 and promote to primary domain controller, demote the SBS2003 and 2008 servers leaving us with the 3 servers.

However, I have ran DCDIAG and fixed just about all the errors prior to upping the forest level, the only issue left is related to DNS.  I ran the DCDIAG from the SBS2003 server (our current PDC) and got the following results:

Summary of DNS test results:
        
                                            Auth Basc Forw Del  Dyn  RReg Ext 
               ________________________________________________________________
            Domain: domain.com
               FS1                          PASS WARN n/a  n/a  n/a  n/a  n/a 
               IHDC1                        PASS PASS PASS PASS WARN PASS n/a 
               sbsrv                        PASS PASS PASS PASS WARN PASS n/a 
               FS2                          PASS WARN n/a  n/a  n/a  n/a  n/a 
        
         .........................domain.com passed test DNS

 Both FS1 and FS2 (2008 R2 servers) also report the following

The SOA record for the Active Directory zone was found
                  Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)
                  [Error details: 5 (Type: Win32 - Description: Access is denied.)]

Should I be concerned about this prior to increasing the functional level or am I ok to just proceed?

All other DCDIAG tests are passed ok..

Checking the DNS management on any of the other servers, other than the sbs server, I can view and connect to each DNS server and replication works fine as does resolution.  From the SBS server I cannot connect to the 2008 r2 servers through the DNS management console. I can ping them by name and IP address.

Just to add they are part of an NLB cluster managing ADFS, but the cluster uses a secondary NIC on a different IP address.

Regards

Drac 

Taking an OU to a new domain and retaining permissions

March 8, 2013, 9:49 am
$
0
0

I've just inherited IT management of a group in a university that is being spun out as a standalone entity. We'll be taking our several servers (2008&2003R2) and the computers in the OU with us. No server that is relocating with us is currently a Domain Controller. no branch office/trust will remain. Server roles are 4xFile and Print, 1xApplication/IIS and 1xSQL. The IIS based apps and  DBs the org uses are currently counting on the OU in the university domain for permissions/security. 

What path can get us the closest to leaving the university and setting up a new domain without having to recreate all the settings?

Thoughts, links and further questions to answer appreciated. As I said I inherited the current setup, which is pitifullly documented. University ITS is not offering much in the way of help. Growing Pains. Many thanks. 


ADFS RP and Shibboleth IDP Message: MSIS7029: The SAML response has content that is not supported.

October 1, 2012, 11:49 pm
$
0
0

Hi everybody

I have doing ADFS 2.0 and Shibboleth Integration where Shibboleth as IDP and ADFS as RP

When i want to login with CAS on my application, after redirected by IDP to ADFS, ADFS webapplication display ERROR and on EventView i have this error :

Exception Message: MSIS7029: The SAML response has content that is not supported. 

And on Application and service log i have this error : 

Encoded context is null or empty

Please any one can help how can i reslove this issue.

Th

Thanks in Advance.


group policy for internet explorer is not applied per ou

March 8, 2013, 9:38 am
$
0
0

i am linking and configuring 2 group polices each one will configure proxy for users IE and each one is linked to the OU containing the target users

no things are not working, the second OU users gets a blank proxy when the policy is applied  

any ideas

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>