Quantcast
Channel: Directory Services Forum
Viewing all 2536 articles
Browse latest View live

Site not using local domain controller

January 15, 2013, 4:30 pm
$
0
0

Hello,

I could use a little help with a slight problem.  I have 6 Server 2003 domain controllers and sites set up.  Five of the sites are using the local controller to process the logon requests.  I have one site that when a user logs on, it bounces to any other domain controller except for the local domain controller.  This is also the pdc and a gc.  I double checked all entries in DNS and all appear to be correct.

Any ideas of diagnostics, logs or other settings that I can check to get this resolved?

Thanks in advance for any input.

Search

DCs on VMs and HyperV Host as Members

January 6, 2013, 10:22 pm
$
0
0

Hi,

I have got two Physical Servers which will be running Windows 2008 R2 - HyperV and i will be hosting one VM on each Host.

VM1 on Host1 - The VM1 will be configured as Main Domain Controller 

VM2 on Host2 - The VM2 will be configured as Additional Domain Controller

So once i have the Domain and Domain Controllers ready i want to join the HyperV hosts to the same domain eventually Host1 and Host2 will also be part of same domain which is created on VMs.

Is this setup acceptable and supported? Please suggest.

Note: I will surely disable time syn on the VMs with Host machines.

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

Windows 2008 R2 Active Directory User can not change their password

August 26, 2009, 12:10 am
$
0
0
Our AD domain already having two domain controllers with windows 2008 (not R2),  last week we added one more domain controler with windows 2008 R2 for that we run domain prep and forestprep. After this domain no  users can change their password by pressing ALT+CTRL+Del--Change password. Administrators can still reset the password, and if administrator provide the option change password and at next logon, it works, users can reset the password. But after login they can not.

The error telling the new password does not meet length,complexity, history requirements. We are sure their is no Group policy which setting password/account policy. And even we tried to attach a simple password policy domain level with out complexity.

Please provide a feedback..waiting for your response.

Thanks

(Windows2008) adprep32 forest Error, Please Help

January 15, 2013, 7:56 pm
$
0
0

My AD has only one DC which is using windows 2K3 STD SP2 . I want to add a windows 2k8 r2 DC.
 But there is an error when i use the "adprep32 /forest" at the 2K3 SRV.
 
Here is some information about my error:

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.


C
Adprep was unable to check the forest update status.
[Status/Consequence]
Adprep queries the directory to see if the forest has already been prepared. If the information is unavailable or unknown, Adprep proceeds without attempting this operation.
[User Action]
Restart Adprep and check the ADPrep.log file. Verify in the log file that this forest has already been successfully prepared.

Adprep encountered an LDAP error.
Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea'
.

When i run <dcdiag /V>, i got this message:


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine

   HKEAAD02, is a DC.
   * Connecting to directory service on server HKEAAD02.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
  
   Testing server: Default-First-Site-Name\HKEAAD02
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... HKEAAD02 passed test Connectivity

Doing primary tests
  
   Testing server: Default-First-Site-Name\HKEAAD02
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=hkea
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=hkea
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=hkea
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
         * Replication Site Latency Check
         ......................... HKEAAD02 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC HKEAAD02.
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=hkea
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=hkea
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=hkea
            (Domain,Version 2)
         ......................... HKEAAD02 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\HKEAAD02\netlogon
         Verified share \\HKEAAD02\sysvol
         ......................... HKEAAD02 passed test NetLogons
      Starting test: Advertising
         The DC HKEAAD02 is advertising itself as a DC and having a DS.
         The DC HKEAAD02 is advertising as an LDAP server
         The DC HKEAAD02 is advertising as having a writeable directory
         The DC HKEAAD02 is advertising as a Key Distribution Center
         The DC HKEAAD02 is advertising as a time server
         The DS HKEAAD02 is advertising as a GC.
         ......................... HKEAAD02 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings\0ADEL:d80d9383-1dc1-4bca-b58f-edc341d55522,CN=engineering\0ADEL:9a8ad145-5479-44c6-ba55-80af38884404,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Warning: CN=NTDS Settings\0ADEL:d80d9383-1dc1-4bca-b58f-edc341d55522,CN=engineering\0ADEL:9a8ad145-5479-44c6-ba55-80af38884404,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea is the Schema Owner, but is deleted.
         Role Domain Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Role PDC Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Role Rid Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         ......................... HKEAAD02 failed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 6606 to 1073741823
         * HKEAAD02.hkea is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 6106 to 6605
         * rIDPreviousAllocationPool is 6106 to 6605
         * rIDNextRID: 6114
         ......................... HKEAAD02 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC HKEAAD02 on DC HKEAAD02.
         * SPN found :LDAP/HKEAAD02.hkea/hkea
         * SPN found :LDAP/HKEAAD02.hkea
         * SPN found :LDAP/HKEAAD02
         * SPN found :LDAP/HKEAAD02.hkea/HKEA
         * SPN found :LDAP/507a6c35-4f60-4691-a7a0-e63da0e93946._msdcs.hkea
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/507a6c35-4f60-4691-a7a0-e63da0e93946/hkea
         * SPN found :HOST/HKEAAD02.hkea/hkea
         * SPN found :HOST/HKEAAD02.hkea
         * SPN found :HOST/HKEAAD02
         * SPN found :HOST/HKEAAD02.hkea/HKEA
         * SPN found :GC/HKEAAD02.hkea/hkea
         ......................... HKEAAD02 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... HKEAAD02 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         HKEAAD02 is in domain DC=hkea
         Checking for CN=HKEAAD02,OU=Domain Controllers,DC=hkea in domain DC=hkea on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea in domain CN=Configuration,DC=hkea on 1 servers
            Object is up-to-date on all servers.
         ......................... HKEAAD02 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service

         SYSVOL ready test
         File Replication Service's SYSVOL

         is ready
         ......................... HKEAAD02 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service

         Event log test
         ......................... HKEAAD02 passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... HKEAAD02 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... HKEAAD02 passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference

         (serverReference)

         CN=HKEAAD02,OU=Domain Controllers,DC=hkea

         and backlink on

         CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea

         are correct.
         The system object reference

         (frsComputerReferenceBL)

         CN=HKEAAD02,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=hkea

         and backlink on

         CN=HKEAAD02,OU=Domain Controllers,DC=hkea

         are correct.
         The system object reference

         (serverReferenceBL)

         CN=HKEAAD02,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=hkea

         and backlink on

         CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea

         are correct.
         ......................... HKEAAD02 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
  
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
  
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
  
   Running partition tests on : hkea
      Starting test: CrossRefValidation
         ......................... hkea passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... hkea passed test CheckSDRefDom
  
   Running enterprise tests on : hkea
      Starting test: Intersite
         Skipping site

         Default-First-Site-Name, this site

         is outside the scope provided by

         the command line arguments

         provided.
         Skipping site HKEASITE01, this

         site is outside the scope provided

         by the command line arguments

         provided.
         ......................... hkea passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         PDC Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         Time Server Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         KDC Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         ......................... hkea passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine

   HKEAAD02, is a DC.
   * Connecting to directory service on server HKEAAD02.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
  
   Testing server: Default-First-Site-Name\HKEAAD02
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... HKEAAD02 passed test Connectivity

Doing primary tests
  
   Testing server: Default-First-Site-Name\HKEAAD02
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=hkea
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=hkea
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=hkea
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
         * Replication Site Latency Check
         ......................... HKEAAD02 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC HKEAAD02.
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=hkea
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=hkea
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=hkea
            (Domain,Version 2)
         ......................... HKEAAD02 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\HKEAAD02\netlogon
         Verified share \\HKEAAD02\sysvol
         ......................... HKEAAD02 passed test NetLogons
      Starting test: Advertising
         The DC HKEAAD02 is advertising itself as a DC and having a DS.
         The DC HKEAAD02 is advertising as an LDAP server
         The DC HKEAAD02 is advertising as having a writeable directory
         The DC HKEAAD02 is advertising as a Key Distribution Center
         The DC HKEAAD02 is advertising as a time server
         The DS HKEAAD02 is advertising as a GC.
         ......................... HKEAAD02 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings\0ADEL:d80d9383-1dc1-4bca-b58f-edc341d55522,CN=engineering\0ADEL:9a8ad145-5479-44c6-ba55-80af38884404,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Warning: CN=NTDS Settings\0ADEL:d80d9383-1dc1-4bca-b58f-edc341d55522,CN=engineering\0ADEL:9a8ad145-5479-44c6-ba55-80af38884404,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea is the Schema Owner, but is deleted.
         Role Domain Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Role PDC Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Role Rid Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea
         ......................... HKEAAD02 failed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 6606 to 1073741823
         * HKEAAD02.hkea is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 6106 to 6605
         * rIDPreviousAllocationPool is 6106 to 6605
         * rIDNextRID: 6114
         ......................... HKEAAD02 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC HKEAAD02 on DC HKEAAD02.
         * SPN found :LDAP/HKEAAD02.hkea/hkea
         * SPN found :LDAP/HKEAAD02.hkea
         * SPN found :LDAP/HKEAAD02
         * SPN found :LDAP/HKEAAD02.hkea/HKEA
         * SPN found :LDAP/507a6c35-4f60-4691-a7a0-e63da0e93946._msdcs.hkea
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/507a6c35-4f60-4691-a7a0-e63da0e93946/hkea
         * SPN found :HOST/HKEAAD02.hkea/hkea
         * SPN found :HOST/HKEAAD02.hkea
         * SPN found :HOST/HKEAAD02
         * SPN found :HOST/HKEAAD02.hkea/HKEA
         * SPN found :GC/HKEAAD02.hkea/hkea
         ......................... HKEAAD02 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... HKEAAD02 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         HKEAAD02 is in domain DC=hkea
         Checking for CN=HKEAAD02,OU=Domain Controllers,DC=hkea in domain DC=hkea on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea in domain CN=Configuration,DC=hkea on 1 servers
            Object is up-to-date on all servers.
         ......................... HKEAAD02 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service

         SYSVOL ready test
         File Replication Service's SYSVOL

         is ready
         ......................... HKEAAD02 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service

         Event log test
         ......................... HKEAAD02 passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... HKEAAD02 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... HKEAAD02 passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference

         (serverReference)

         CN=HKEAAD02,OU=Domain Controllers,DC=hkea

         and backlink on

         CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea

         are correct.
         The system object reference

         (frsComputerReferenceBL)

         CN=HKEAAD02,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=hkea

         and backlink on

         CN=HKEAAD02,OU=Domain Controllers,DC=hkea

         are correct.
         The system object reference

         (serverReferenceBL)

         CN=HKEAAD02,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=hkea

         and backlink on

         CN=NTDS Settings,CN=HKEAAD02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hkea

         are correct.
         ......................... HKEAAD02 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
  
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
  
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
  
   Running partition tests on : hkea
      Starting test: CrossRefValidation
         ......................... hkea passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... hkea passed test CheckSDRefDom
  
   Running enterprise tests on : hkea
      Starting test: Intersite
         Skipping site

         Default-First-Site-Name, this site

         is outside the scope provided by

         the command line arguments

         provided.
         Skipping site HKEASITE01, this

         site is outside the scope provided

         by the command line arguments

         provided.
         ......................... hkea passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         PDC Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         Time Server Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         KDC Name: \\HKEAAD02.hkea
         Locator Flags: 0xe00003fd
         ......................... hkea passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

Domain Admin Account Lockout Issue - Authentication

January 15, 2013, 6:24 pm
$
0
0
First, I've tried all the norm checks, services, updates, misc map drives and so forth. Ran MS Lockout tools as well as Netwrix Account Lockout tracer, but this one has me stuck. Have a Domain Admin Account used for various tasks that is failing authentication every minute exactly until fifth time it locks for 15 minutes due to how GPO is set. I know it's on the one DC, but can't find it and doesn't make sense. Shut down anything related to services and tasks or mapping drives. Have two DC's so I shut the one down I thought has the issue and the issue does go away as account stays active with the one DC off that I believe is the issue. Below is the event I see continually with only the Source Port changing and then the 264 event for locked out on the fifth try; (changed account, domain and ip here for security.) The user ID and PW are correct as I use it for other things and can log into the DC with it if unlocked. I've read other threads here on Technet, but haven't found any that show issue is on DC.

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: MODC01$
Account Domain: MYDOMAIN
Logon ID: 0x3e7

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: MYADMIN
Account Domain: MYDOMAIN

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID: 0x1e4
Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:
Workstation Name: MYDC01
Source Network Address: 192.168.1.1
Source Port: 1027

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Any help would be appreciated here......Thanks, Mark

server not working with the workstation

January 16, 2013, 12:12 am
$
0
0

Hi

I'm using windows server 2008. I want to long on to one of the workstations on m,y network, but it is reading;

"The trust relationship between this workstation and the primary domain failed". How can i resolve this problem as the administrator?. thanks.

DNS events on child domainWin 2003 R2 DC: 4015, 4514, 4514

December 27, 2012, 3:23 am
$
0
0

Greetings everyone.

I have created a child domain in the AD forest with two domain controllers (both Windows 2003 R2). After that I tried to configure additional DNS server on the second DC. Now I should say, that the 1st DNS server on the 1st DC works fine, but the second one doesn't. In the DNS console both the Forward and Reverse lookup zones are empty and I have 4015 error event accompanied by 4513 and 4514 events (messages are attached below).

As it has been said here, I have found and deleted one duplicating zone record using ADSIEdit (the duplicated zone was storied in Default Naming Context). Now all DNS zones store in appropriate AD partitions - domain-wide zone in DC=DomainDNSZones,DC=child,DC=domain,DC=com, and forest-wide zone in the DC=ForestDNSZones,DC=domain,DC=com - and no duplicating zones have been found (Default naming contex partition contains only Root hints now). All DNS servers were restarted, force replication was made but no luck - errors are still present and the zones are empty in the DNS console.

So, as 4514 and 4515 say, I tried to put my second DC into the apropriate replication scope. This topic should help me. But after

Add NC Replica DC=DomainDNSZones,DC=child,DC=domain,DC=com dc2.child.domain.com

I have got an error:

LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)

I tried to google it, but no luck. So, I need help. Please.

Some additional information.

1. 4015 Error message

Event Type:	Error
Event Source:	DNS
Event Category:	None
Event ID:	4015
Date:		26.12.2012
Time:		17:22:27
User:		N/A
Computer:	DC2
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152395, #1:
	0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 13 00 00 00               ....

2. 4513 and 5414 error messages:

Event Type:	Information
Event Source:	DNS
Event Category:	None
Event ID:	4513
Date:		26.12.2012
Time:		17:22:27
User:		N/A
Computer:	DC2
Description:
The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.domain.com. This prevents the zones that should be replicated to all DNS servers in the child.domain.com forest from replicating to this DNS server. 
To create or repair the forest-wide DNS directory partition, open the the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. 
The error was 9002.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    
 
Event Type:	Information
Event Source:	DNS
Event Category:	None
Event ID:	4514
Date:		26.12.2012
Time:		17:22:26
User:		N/A
Computer:	DC2
Description:
The DNS server detected that it is not enlisted in the replication scope of the  directory partition DomainDnsZones.child.domain.com. This prevents the zones that should be replicated to all DNS servers in the domain.com domain from replicating to this DNS server. For information on how to add a DNS server to the replication scope of an application directory partition, please see Help and Support. 
To create or repair the domain-wide DNS directory partition, open the the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. 
 The error was 9005.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..

3. DC1 and DC2 ipconfigs:

Windows IP Configuration
   Host Name . . . . . . . . . . . . : dc2
   Primary Dns Suffix  . . . . . . . : child.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : child.domain.com
                                       domain.com
Ethernet adapter Local Area Connection 3:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : HP Network Team #1
   Physical Address. . . . . . . . . : 00-14-C2-3D-B6-9A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.25.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.25.1
   DNS Servers . . . . . . . . . . . : 192.168.25.2
                                       192.168.25.3
Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc1
   Primary Dns Suffix  . . . . . . . : child.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : child.domain.com
                                       domain.com

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : HP Network Team #1
   Physical Address. . . . . . . . . : 00-14-C2-3F-6C-E2
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.25.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.25.1
   DNS Servers . . . . . . . . . . . : 192.168.25.2
                                       192.168.25.3

4. dcdiag on DC2

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: spb\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity

Doing primary tests
   
   Testing server: spb\DC2
      Starting test: Replications
         ......................... DC2 passed test Replications
      Starting test: NCSecDesc
         ......................... DC2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC2 passed test NetLogons
      Starting test: Advertising
         ......................... DC2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DC2 passed test RidManager
      Starting test: MachineAccount
         ......................... DC2 passed test MachineAccount
      Starting test: Services
         ......................... DC2 passed test Services
      Starting test: ObjectsReplicated
         ......................... DC2 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC2 passed test frssysvol
      Starting test: frsevent
         ......................... DC2 passed test frsevent
      Starting test: kccevent
         ......................... DC2 passed test kccevent
      Starting test: systemlog
         ......................... DC2 passed test systemlog
      Starting test: VerifyReferences
         ......................... DC2 passed test VerifyReferences
   
   Running partition tests on : spb
      Starting test: CrossRefValidation
         ......................... spb passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... spb passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running enterprise tests on : domain.com
      Starting test: Intersite
         ......................... domain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... domain.com passed test FsmoCheck


5.Some repadmin output:

repadmin /showreps
child\DC2
DC Options: (none)
Site Options: (none)
DC object GUID: fbb45f38-ee10-4bdd-bf27-18cc6b6f0995
DC invocationID: e62c67e1-1c6e-4bc8-9238-5307714ac4bb

==== INBOUND NEIGHBORS ======================================

CN=Configuration,DC=domain,DC=com
    child\DC1 via RPC
        DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
        Last attempt @ 2012-12-27 13:45:22 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=com
    child\DC1 via RPC
        DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
        Last attempt @ 2012-12-27 13:45:22 was successful.

DC=child,DC=domain,DC=com
    child\DC1 via RPC
        DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
        Last attempt @ 2012-12-27 13:46:54 was successful.

6. And ntdsutil output:

ntdsutil: domain management
domain management: connections
server connections: connect to server dc2
Binding to dc2 ...
Connected to dc2 using credentials of locally logged on user.
server connections: q
domain management: list nc replicas DC=DomainDnsZones,DC=child,DC=domain,DC=com
The application directory partition DC=DomainDnsZones,DC=child,DC=domain,DC=com's Replicas are:
        CN=NTDS Settings,CN=dc1,CN=Servers,CN=child,CN=Sites,CN=Configuration,D
C=domain,DC=com
domain management: add nc replica DC=DomainDnsZones,DC=child,DC=domain,DC=com dc2.child.domain.com
LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)


AD blocking users from outside Europe?

January 15, 2013, 8:29 pm
$
0
0

Hello,

I have a strange problem. At least to me but hopefully someone has a solution:

This is the situation.

I have a virtual server configured with Windows 2008 R2 and AD (Active Directory).
I have WMS installed and a publishing point which uses the AD to verify users for using streaming content.

In AD i made a group for streaming admins (with several accounts for several publishing points) and a group for users (viewers) with
several accounts.

Everything is going well within my country (The Netherlands). Admins can create a stream from expression encoder with their accounts and viewers
are asked for login codes when they want to watch the stream. They login with the provided credentials and voila. No problem.

The problem rises from foreign countries. My girlfriend in the US can not open the stream. She can connect to the publishingpoint and she is asked to login.
The moment she uses the credentials I gave to her, I see WMP trying to make a connection with the stream but then stops and comes with an error.


"Windows Media Player cannot access the file. The file might be in use, you might not have access to the computer where the file is stored, or your proxy settings might not be correct.

The strange thing is that if i disable the authorization (WMS Publishing Points ACL Authorization) within WMS publishing point she IS able to watch the stream because there is no login screen.

The same thing happends to viewers from Curacao but not from Portugal.

Does someone have any idea how i can fix this problem? Is this an AD problem?

Thanks in advance

Search

Is there a way to add multiple members at the same time to a distribution group in Active directory 2008 r2?

January 14, 2013, 9:43 am
$
0
0

Our company is made up of 500+ employees within different OUs.

How would I go about adding them to a distribution group that I created, can i only add one by one, or is there a way to add them all at once?

Im not looking for any kind of script, I just want plain old pick and click.

Thank you in advance. :)

UDP 389 LDAP did not respond ???

January 15, 2013, 6:32 pm
$
0
0

Hi All,

I've three Windows 2008 domain controllers. Using portqry to test LDAP connectivity it responds to TCP but not UDPtest in domain controller , no firewall.  I restart ADDS and retest UDP 389 are the same error .

Test returns the results are as follows:

 Starting portqry.exe -n computerIP -e 389 -p UDP ...

Querying target system called:

computerIP

Attempting to resolve IP address to a name...

IP address resolved to computerIP

querying...

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port

Sending LDAP query to UDP port 389...

LDAP query to port 389 failed

Server did not respond to LDAP query

portqry.exe -n computerIP -e 389 -p UDP exits with return code 0x00000001.

isoft

User GPO to open home page in IE, "disabling all other options/possibilities"

January 16, 2013, 2:59 am
$
0
0

Hi ppl,

I would like to create a new User GPO to open up Internet Explorer with a home page (say : google.com) disabling other options possible. I have already figured a way to set the home page by :

User Conf->Administrative Setting->Windows Components->Internet Explorer->Disable changing home page (Enabled)

But my problem is the user is "able to access other web pages too" by accessing the address bar. I would like to make the user access only the home page and not any other website/webpage. What can be the solution? Should I disable the address bar of IE ? Even then the user will have access to other websites by links in through the home page(google.com), isn't ?

Anand Kumar D

This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

ADWS Event 1005

October 20, 2012, 10:17 am
$
0
0

I have a Windows 2003 AD domain that I just installed ADWS in.  The install went well and after server restart, ADWS starts up fine.  I get the normal events that is has started and that is is servicing the Directory instance: GC and Directory instance: LDAP.  Looks good at this point.  I try opening powershell and importing the AD module which fails because it can't find a server running ADWS.

There is an event on all 4 of my domain controllers like the one below after startup.  Also get this event when stopping ADWS.

Event Type: Error
Event Source: ADWS
Event Category: ADWS Startup Events
Event ID: 1005
Date:  10/20/2012
Time:  11:42:17 AM
User:  N/A
Computer: SVD0DCHP01
Description:
Active Directory Web Services could not change its advertising state. The Netlogon service might not be running. Restart Netlogon and then restart Active Directory Web Services.

Account is Disabled attribute - Immeditate replication (?)

January 15, 2013, 12:57 pm
$
0
0
Is the "Account is Disabled" attribute a part of the immediate replication attributes?  If not, can it be added?  How?

Trust relation ship between workstation and domain failed

January 15, 2013, 6:46 pm
$
0
0
After seizeing the FSMO roles, i am getting error as trust relation between workstation and domain failed.

replication error

January 16, 2013, 2:01 am
$
0
0

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

 

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

Zakaria Khan

Search

Duplicate user ids in DC

January 16, 2013, 12:37 am
$
0
0

HI,

DC is windows 2008R2 sp1 and windows 2003r2 sp2 environment - a total of 10 DCs across multiple offices.

recently noticed that in dsa.msc, it appear that there are duplicate user ids,

sjones

sjonesrCNF:4bc902f5-64ab-4417-87b3-c8fc4bcd7616

I have the following questions:

interested in knowing how this happened, ways to troubleshoot this

how to fix this error and

what needs to be implemented to avoid this repeat.

which user id created first ? I presume this ---> user id was originally created first sjonesrCNF:4bc902f5-64ab-4417-87b3-c8fc4bcd7616. IF i am incorrect let me know. Can this ID be safely deleted from AD and what tool is recommend and syntex to remove this object.

JOe

Give user AD rights to change personal info

January 16, 2013, 6:08 am
$
0
0

I want to give a user rights to change personal AD information.

(i have found a solution: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/5422b189-93af-406b-9a0e-b884fe12b960)

but is it also possible to start ad (trough RSAT) and the person only sees the folder of the users? And not all off the other OU's ?

LDAP authentication from a Linux app to cover several AD domain ?

January 16, 2013, 5:58 am
$
0
0

Hi,

we have an application running on a Unix server and we would like to use authentication of our several Active Directory domains (in the same forest).

The application is compatible with LDAP authentication. I wanted to use my AD domains to authenticate my users.

As, I can specify only one LDAP server on the application; does it work if I specify a root DC as the LDAP server ?

The root DC will be able to transmit the request to his child DCs to authenticate the users ?

If no, what is the solution for this kind of implementation please ?

Thank you

Mailing users of a security group

January 17, 2013, 3:48 am
$
0
0

Hi ppl,

How should I mail the users of a security group? Is there a mail attribute which I can use?

Anand Kumar D

This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Schannel. Event ID 36886, 36887.

January 17, 2013, 6:50 am
$
0
0

Hi!
After installing ADCS I've got warnings on both domain controllers (Win 2008 R2):

Event ID :- 36886
Source :-   Schannel
Description :-
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

I've noticed that controllers have not received a certificate from CA. When I requested certificate manually, I've got the following error:

Event ID :- 36887
Source :-   Schannel
The following fatal alert was received: 46.

When I removed the requested certificate, the error (id36887) was replaced by warning (id36886).  Does someone have the same issue?

Viewing all 2536 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>