Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

eventid 4010 DNS The Active Directory definition of this resource record is corrupt or contains an invalid DNS name

October 10, 2012, 10:21 pm
$
0
0

I have this error logging on all of our DNS servers, the record is a domain controller record. I have read suggestions to delete the record, I ahve never deleted a DC in AD so I am bit nervous to do so. Does anybody have explicit directions for correcting this?

The DNS server was unable to create a resource record for  95d10a4b-c617-49b1-adc3-2739d2956e59._msdcs.domain.local. in zone domain.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:

Search

Delegation - Why can't a delegated user interact/affect with privileged user? (domain admin...etc)

June 1, 2012, 2:54 pm
$
0
0

I wanted to ask this question since I had seen this behavior and could not find any Microsoft documentation.

The scenario as below;

There is an application which is designed to allow users to change their own password by registering a website.

Its service account can be configured with a delegated domain user account as long as it is a local administrator on the server where the application running, and all the required privileges delegated. For instance, it must be delegated to write keyword, comment attributes...etc.

Once the application has been configured with the delegated user account, the site can be registered by all the users but Domain Admins, the service account can read and go thru all the steps but when it needs to write something to this privileged account(domain admin), gets "access denied" error.

I have seen this behavior before. What I would like to know is, does this happen due to Microsoft design? If so how? When a delegated user interacting with the privileged users, would it be denied regardless?

Thanks in advance for replies.

SYSVOL failed to replicate

October 23, 2012, 4:13 pm
$
0
0

I have searched the forum and internet and couldn't find a answer. I wish I can get some help here.

Our domain has only two DCs, DC1 and DC2. They both running Server 2008 SP2 x86. The domain functional level is 2003. I found a few workstations don't get log-on script working. So I checked the SYSVOL on both DCs and found out they are different, DC2 has more entries under SYSVOL\ <Domain>\Policies\ than DC1. In the Event both DCs shows Event ID 13508 Warning says FRS couldn't replicate SYSVOL to each other. In Server Manager, I found "Widnows Server 2003 File Services" and "File Replication Service" are not even enabled. so I enabled them on both DCs. I have run the "ntfrsutl forcerepl dc1 /r "domain system volume (sysvol share)" /p DC2.<domain>" . But SYSVOL is still inconsistent between two DCs. My questions is how I can get SYSVOL replication back to work.  Thanks a lot.

Change the UPN name format

October 23, 2012, 4:55 pm
$
0
0

Hello, What would be the most effective way to change the UPN name format

from: "AliasName@internaldomainname.com"

to: "First.LastName@externaldomainname.com"

to all clients under one OU - "BCW-Users"

Thanks.

Big B

External website resolving with internal IP address

October 23, 2012, 12:10 am
$
0
0

Few external websites are resolvign with Internal IP adress. But I dont see records for thet name in our internal DNS server.

When I do NSlookup

> mail.example.com
Server:  dc101.cort.net
Address:  10.203.1.4

Non-authoritative answer:
Name:    mail.example.com
Address:  10.202.8.4

mail.example.com should resolve to external IP address instead of 10.202.8.4

How do I flush this info from DNS server or how can I make to resolve to external IP address?

Your help is much appreciated.

Mahesh

Migrating user prinicipals from MIT KDC to AD domain controllers

October 4, 2012, 1:42 pm
$
0
0

We are operating a set of MIT KDC's for authenticating users on a number of Linux-based computers at our site; we recently deployed an Active Directory domain for Windows 7 and Server 2008R2 systems to use with a trust relationship with the MIT KDC's.  The kerberos realm and domain name are different (kerberos realm is DOMAIN.SCHOOL.EDU, where AD domain name is AD.DOMAIN.SCHOOL.EDU).  User mappings work fine for authenticating users on Windows computers via the MIT KDC.

For a number of reasons, we are considering phasing out the MIT KDC's in favor of using the Active Directory KDC's for all user authentication, Linux and Windows.  We would need to transition all the user prinical data from the current MIT KDC's to a domain controller, though.

My question: is this possible?  And if so, are there any pointers for doing such a transition?

John

Computer account no longer in AD, but computer still thinks it's domain member

October 17, 2012, 3:34 pm
$
0
0

Hi all.

I have a computer that was joined to the domain, but somehow, the computer account was removed from Active Directory.  The machine still thinks it's joined to the domain, and its main user still has cached credentials.  What's the easiest way to get this box talking to the domain aggain?  Computer is XP Pro SP3 and domain and forest are in 2003 mode.

Thanks.

Is there any way to see other forest GAL data ?

October 25, 2012, 7:10 pm
$
0
0

We have several ExchOrg.

We sometime receive inquiry that end user can not see some contact in their GAL.

I would like to know there is any way to see other forest GAL data without mailbox account of that forest . Our forests have forest trust relationship, and GAL is AD data, so I think there is some way to see by ldap or AD point of view .

Search

Logon failure: The target account name is incorrect

October 17, 2012, 4:28 pm
$
0
0

I have a CIFS server joined to the domain and users access it via an alias (A Record, not a CNAME).  I'm trying to move the data to another NAS device, but if I point the A Record to a different IP, I get this message when trying to access it:

\\servername is not accessible.  You might not have permission to use this network resource.  Contact the administrator of this server to find out if you have access permissions.

Logon failure: The target account name is incorrect

Any suggestions are appreciated.  Thank you!

KDC is taking hgh utilization

October 25, 2012, 2:54 pm
$
0
0

Lsass.exe is taking high utilization in 4 doman controlls which are windows 2008 R2

As i checked in lsass.exe KDC service is taking 80to 100% utilization.

Active Directory Group Help

October 26, 2012, 2:59 am
$
0
0

Hi,

First off let me start by saying i am new to active directories as well as the terminology.

Where I work we have a lot of systems that we are all eventually going to be supporting. To access these files and systems that are on any of the four file/print servers we have, users are put in AD groups and permissions assigned that way.

For us to be able to all support all the systems we all need to have the same permissions because at the moment user1 might be able to access certain folders/files for system 1 where as user 2 wouldn't be in this group because there wasn't a requirement until now.

I'm trying to find the best solution to this as we think making something like a Super-group and putting all of the current AD groups in this super-group would be the best option.

Is this even possible? I already have all the user groups everyone in the team is a member of and can identify the gaps.

Another suggestion was to get all the folders that had the permissions we needed and create the super-group using the list of folders and permissions needed.

After looking into this it became obvious that putting in a request to the people that handle AD groups and asking them to create our super group and to add well over of 100,000 permissions to folders is just not going to happen.

I'm sorry if this doesn't make sense.

Does anyone have any ideas on a solution

Thanks

Gareth

Known issues with server 2008 on a 2003 Domain Controller running in 2000 mixed mode?

October 18, 2012, 9:55 am
$
0
0

Hi

We are having numerous issues within our 2003 domain with our 2008 terminal servers, we have been advised that this is primarily due to the fact that our Domain controller is running on functional Level Windows 2000 Mixed.

Can anyone confirm that this could cause various issues?

We are unsure and feel this is might be a bit of 'get out of Jail' for our external support company, we have asked them to log a call with Microsoft but they are hesitant to do this.

Thanks

User locked in background while working - event 529

October 22, 2012, 6:09 am
$
0
0

We have a serious problem with a user. that is locked out "in background" during work, which means:

the user is logged on to the domain controller. she has some network drives that are mapped by the login script (as all the other users too), and she has a personal mapped drive, that requires a username/pw to a specific share (as like 10 other users too!).

During the day, i can see 5 unsucessful logins in 3-5seconds, which have the Logon Type 7. (usually login after screensaver or so).

But the user was just working, she didn't have any screensaver launched, and she wasn't away. We can exclude any other person trying to log on to her computer.

It's a failure audit, source security, with event id 529

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	<her name>
 	Domain:		<our domain>
 	Logon Type:	7
 	Logon Process:	User32  
 	Authentication Package:	Negotiate
 	Workstation Name:	<her ws>

after that, she gets 3 logs, event id 539, user locked out.

it's invisible to her, she can continue working, but when she tries to access the share, she has no acces (..as she got locked out).

Computer runs Win Xp Sp3, DC is a Win 2008 R2. As some people have exactly the same config as she has, it's very strange, and i don't know where to continue searching...

i've read like half the internet about the lockout problems, but the solutions were not appropriate for ou problem. What could cause this problem ?

btw: gpo is set to 5 tries beore lockout, and it can NOT be changed to a higher number (some site suggested that, cause of network information that has been lost...). Or is this the only reason ? Is windows trying to connect several times to the network share ??

What i did, is that she has disconnectd the mapped drive, and now uses the direct network path, while i'm looking for an answer and so i can monitor if the event occurs again


Clients authenticating to wrong Domain Controllers

October 26, 2012, 4:00 am
$
0
0

In our domain we have 28 sites and each site have its own Domain Controllers and we have one data center where we have 3 DCs.

Domain Controllers run DNS role as well and DNS replication is active directory integrated.

For all clients local DC is configured  as primary DNS and DataCenter DCs configured as secondary DNS.

Problem is, most of the times, client machines are not gettings authentication from local domain controller, most of the times authentication happnes from other location domain controller or data center DCs.

I have done the below troubleshooting steps;

DNS - verified in the DHCP and ensured that local domain controller (DNS) server configured as promary DNS server and data center DCs as secondary

SRV Records- verified and looks fine

Subnets - Verifed and found its configured according to the sites in AD

I can confirm the information in SRV records and AD subnet information is accurate.

Please help me resolving the issue

Mahesh

1153 errors after performing the Server 2012 schema update on a 2008 domain

October 26, 2012, 8:34 am
$
0
0

Hi folks,

I wasn't sure whether to post this here or in 2012 setup, but I'll try here first I guess.

I just updated our 2008 (non R2) + Exchange 2010 schema  to 2012 last nite by running adprep /forestprep and adprep /domainprep from \support\adprep on the 2012 DVD. All seemed to go well, and adprep exited with an 'operation completed successfully' message for both.

However, when I checked in the Directory Service logs on the 2008 Schema Master DC from which I ran adprep, I found the following two 1153 errors, although there were another couple hundred or so successes. Do I need to be worried about this? Thanks for any help,

ianc

 

----------------------------------------------------------------------

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          10/25/2012 6:37:39 PM
Event ID:      1153
Task Category: DS Schema
Level:         Warning
Keywords:      Classic
User:          mycompany\myuser
Computer:      REDWOOD.mycompany.org
Description:
Internal event: The following schema class has a superclass that is not valid. 

Class identifier:
655632 
Class name:
msDS-ClaimType 
Superclass identifier:
655629 

Inheritance was ignored.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="32768">1153</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>24</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2012-10-26T01:37:39.436Z" />
    <EventRecordID>10514</EventRecordID>
    <Correlation />
    <Execution ProcessID="736" ThreadID="4700" />
    <Channel>Directory Service</Channel>
    <Computer>REDWOOD.mycompany

.org</Computer>
    <Security UserID="S-1-5-21-776561741-1580436667-1708537768-3871" />
  </System>
  <EventData>
    <Data>655632</Data>
    <Data>msDS-ClaimType</Data>
    <Data>655629</Data>
  </EventData>
</Event>

----------------------------------------------------------------

  

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          10/25/2012 6:37:38 PM
Event ID:      1153
Task Category: DS Schema
Level:         Warning
Keywords:      Classic
User:          mycompany\myuser
Computer:      REDWOOD.mycompany.org
Description:
Internal event: The following schema class has a superclass that is not valid. 

Class identifier:
655633 
Class name:
msDS-ResourceProperty 
Superclass identifier:
655629 

Inheritance was ignored.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="32768">1153</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>24</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2012-10-26T01:37:38.968Z" />
    <EventRecordID>10513</EventRecordID>
    <Correlation />
    <Execution ProcessID="736" ThreadID="5752" />
    <Channel>Directory Service</Channel>
    <Computer>REDWOOD.mycompany.org</Computer>
    <Security UserID="S-1-5-21-776561741-1580436667-1708537768-3871" />
  </System>
  <EventData>
    <Data>655633</Data>
    <Data>msDS-ResourceProperty</Data>
    <Data>655629</Data>
  </EventData>
</Event>




Search

ADFS in multi-domain forest

October 26, 2012, 10:11 am
$
0
0

When installing ADFS I didn't see any option to link it to any particular domain.  The only choices I saw were "Active Directory","LDAP", and "SQL" for the attribute store. 

Windows 2008 R2 x64 with ADFS 2.0 on a multi-domain forest.  ADFS server is joined to the chosen domain and the service account is in that chosen domain.

I finished the install and it's currently working, but how do I ensure that it will only work with one child domain in my forest and not other child domains or orther trusted external forests?

Active Directory Web Services Service will not start

October 18, 2012, 2:35 pm
$
0
0

The Active Directory Web Services service will not start on a 2008 R2 server with Exchange 2010.

System Specs: 
Dell PowerEdge T310
Dual Xeon 2.67GHz X3450
24Gb DDR3 RAM
Perc h700/1Gb BBWC 8 disks/ 3 volumes
Server 2008R2 SP1 Rollup 3
Exchange 2010 SP1 Rollup 7

Server has been in production since Jan. 2012 with no issues.

When attempting to start the service manually, I am presented with the error "Windows could not start the Active Directory Web Services service on Local Computer.  Error:1053: The service did not respond to the start or control request in a timely fashion."

Upon inspection of the error log, I see the following errors after a start attempt:

System:
EventID 7009
A timeout was reached (90000 milliseconds) while waiting for the Active Directory Web Services service to connect.

EventID 7000
The Active Directory Web Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

There are no log entries in the Application log, and there hasn’t been an entry in \Active Directory Web Services log since the end of last month. The last entry is:

EventID 1004
Active Directory Web Services has successfully started and is now accepting requests.

As far as I can tell by looking at the logs and checking AD and Replication, DNS, DFS, and everything else, all systems seem to be working except for ADWS.

I have done the following (in addition to hours of searching and research):

I added “<add key="DebugLevel" Value="Info" />” and “<add key="DebugLogFile" value="C:\ADWSLog\Adws_trace_log.txt" />” to the Microsoft.ActiveDirectory.WebServices.exe.config to enable logging, but the service doesn’t seem to be logging anything.

I have copied the “Microsoft.ActiveDirectory.WebServices.exe” file from another working server.

I have export/imported registry keys from a working server.

I attempted to re-register the ADWS DLLs.

I have uninstalled/reinstalled hotfixes installed immediately prior to the point when the service stopped.

After that I installed all current updates to the system.

I am at a loss here, I have no idea what else to try.  I’m looking for any help or suggestions.

Thanks.

Enable DNS Scavenging

October 26, 2012, 6:10 am
$
0
0
I tried to enable DNS scavenging on a zone, but after it removed some required records we had to disable it. Is there an easy way to show all the records that will be removed by enabling scavenging?

Workstation Authentication Certificate on a Domain Controller

October 26, 2012, 3:11 pm
$
0
0

Hello.

I've noticed that there is an expired certificate in the Certificates(Local Computer)/Personal/Certificates containe on all of the Windows 2008 Domain Controllers at my organization.  The expired certificate is a Client Authentication certificate that is derived from our "Workstation Authentication" template.  There is also a Client Authentication certificate derived from the "Domain Controller Authentication" template that is up to date.  We do have auto enrollment enabled, that should automatically renew expiring certificates using our Microsoft PKI.

I looked on my Windows 2003 domain controllers and they don't have the "Workstation Authentication" certificate at all, just the Domain Controller Authentication certificate.

My thinking is the expired Workstatoin Authentication certificate is a relic from before the domain controller was promoted to a DC.  After it was promoted the Workstation Authentication certificate was no longer required and therefore doesn't get renewed.  Is this correct?  If so can I just delete the expired certificate off of my Domain Controllers.

Even with the expired certificate everything appears to be working, however my event logs are full of warnings about the expired cert.

My DCs are Windows 2008 SP2.  The PKI is Windows 2008 R2 SP1.

Any help would be apreciated.

Craig.

Domain admins 'member of' is getting removed automatically.?????

October 26, 2012, 7:44 am
$
0
0

Hi Guyz,

I am facing a very strange issue here.

In My 2003 domain environment, many service accounts and IT spocs are part of the domain admin group.

And domain admins are member of "Builtin - administrators" group. The issues is administrators group is automatically getting removed for domain admins from the member of...

Please help, how to track this, and to find y its getting removed........

Regards, DR

 

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>