Dear All,
I configured LDAP configuration for my cisco Voip phone it's working fine and sync with my ADS there is no problem .My server windows ADS server windows 2008 x64SP1 .I have a problem wheni had changed my administrator password to my domain controller i couldn't login to my cisco CCx administrator server what is the link my domain controller and my cisco ccx administrator server .
Rergards
Subash
last day we installed Symantec Endpoint Protection (SEP) client agent in Primary Domain Controller on Windows server 2012 and its crashed within a second. We have other 4 domain controller on Windows Server 2003 r2 std working fine but as soon as installed SEP on Windows Server 2012 it crashed, however we uninstalled SEP with help of Symantec Technical Team but ADDS service still can not start.
1) I am getting this error message on ADDS service startup.
---------------------------
Services
---------------------------
The Active Directory Domain Services service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.
---------------------------
OK
---------------------------
2) Dcdiag output is also null
C:\Users\exadmin>dcdiag /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine Server02, is a Directory Server.
***Error: Server02 is not a Directory Server. Must specify /s:<Directory
Server> or /n:<Naming Context> or nothing to use the local machine.
ERROR: Could not find home server.
3) Sysvol and NETLOGON shared directory also missing. Directories are there in root folder but not shared.
4) Can not start this below services bcz its depended on Active Directory Domain Services service:
Ntfrs, NTDS, KDC, DNS and lsmServ6) in eventviewer i found this last error logs
Source: ActiveDirectory_DomainService
Event ID: 2092, 2087 and 1004This is my primary domain controller and all 5 FSMO role hosted on this server, i was planning to seize FSMO role to another domain controller, but i am still hoping for solution from technet. Please let me know how can i resolve this issue.
Hi,
I have a problem connecting from an application which has active directory at the other end.
I can see the BIND request being send out, actually I am looking at pcap file at the packet level.
The BIND request does contain the userid and required password - or at least the userid and password by the AD admin.
What comes back is the BIND resposne.
which says invalid credentials.
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1.
What can I conclude from this?
might the userid be incorrect? or the password? or could it be something else?
I ask this because the AD admin insists the userid/password is correct.
I should add that I am supposed to be logging in as an administrator.
Please, any suggestions as to next steps
TIA
Tony
I am working with Server 2012 Active Directory.
I am going to be giving a non-admin domain account local admin privileges to a specific computer. I however do not want this admin to be able to tamper/change anything on other user accounts that reside on that local machine. Is there a way I can restrict this user so that they can only have admin privileges to make changes on only their own account?
We are a business that is still impacted by Hurricane Sandy. We have been displaced and operating at out co-lo site since the storm. It was just a site to hold our replicated backup appliance but when theres a will theres a way.
The home office and network are still without power. We had one physical AD server which held all the roles..(AD1) and one virtual AD2. When tasked to recover the network and provide remote access to it it was much easier to recover a virtual server (AD2) and promote it to all roles. The trouble is what was supposed to last only a month is now going to go on until July 2013.
So in short I will have 2 copies of my AD...one that was my production AD when the storm hit and one that we have recovered and have had issues with. Even tho I recovered the day of the storm with my copy of AD2 the active directory it contained was somehow over 8 weeks old. Servers had to be rejoined to the domain and users that were added before weren't there. Security changes made in the prior 8 weeks had to be redone. Things seem to be stable now.
Here's the issue. What do I do when I go back to the office? Call what I'm working with now PRODUCTION and deal with any issues or is there someway to "merge" the two AD? If I go back to my "office AD" what happens to any user ID's I've created..obviously AD won't have them but Exchangel will? Will they be orphaned ID's I can attach to a new ID and retrieve the users mail?
We will have been running for over 9 months is a "disaster mode". What will happen when AD1 gets powered up? Will Kerberos and certs be all messed up or will it just act like nothing happened??
Appreciate and thoughts/ideas one may have..
Tom McCarroll
First of all, I want to thank you all in advance for your patience and any assistance. I am not a corporate IT manager, nor do I work in the IT field anymore. I used to do software development years back and I'm looking to get back into the IT field so I'm trying to teach myself admin and keep myself up to date on newer tech and practices. I plan on buying some books here in the near future, so I'm sure once I get the books, my answer will be forthcoming, but I was hoping to at least get things set up for now. I have some history in IPv4, and networking as well as system adminstration from the client side and very old exp from older server systems, never with domains.
My current set up is a test bench set up I'm working with to gain experience and understanding in my own personal home. I have multiple computers and have re-set-up an old pc and installed Windows Server 2012 Standard (GUI not core). Following online tutorials I got a clean installation, i have set up DHCP & DNS successfully and my other systems are currently utilizing the server for IP addressing and DNS resolution. I also installed the AD DS service and set up the domain and promoted the server to Domain Controller. I'm still new to the terms, but from what I understand, this is a new forest and currently, the only computer in the domain is my server i just set up. In case needed, here are the system specs:
Server Specs:
I have enabled remote desktop and I'm able to ping "Alderan" with success from my main computer, and even remote desktop in to access from my main PC with no problems. I can also map network drives that I have shared from various computers on the network.
The problem is this, I am now trying to join my primary computer to the domain. The computer is an "in use" and not fresh installed PC with the following
At first when I go through the join domain procedure, I leave the name the same, and update domain to point to NEWREPUBLIC, and initially when I select join, it asks me for the username / password and I enter the System Administrator username/password from the Domain server. It then goes to hourglass (or the blue circle, you know what i mean" for a few minutes and then pops up the error:
The following error occured attempting to join the domain "NewRepublic":
The specified domain either does not exist or could not be contacted.
When I pull up the log files from my windows 8 PC, I find this error in the System Logs:
The machine CORUSCANT attempted to join the domain NewRepublic but failed. The error code was 1355.
I know I'm probably over my head at this point, but I would love to figure out this problem. I'm sure it's a obvious issue (well, for someone with domain experince.. lol). I've searched online for the last 2 days, and I find a lot of issues where it's an un-attended installation, but obviously this is not my situation. This isn't the end of the world if I have to wait to buy my books, but I would greatly appreciate someone either helping out here or pointing me in the right direction. Any assistance would be much appreciated.
Roger
Hi
I have 2 networks :
I have a DC in the internal network for my domain, and a RODC in the DMZ for the same domain. A firewall exists between these two networks, allowing only the ports/traffic I specify.
When I add a computer in the DMZ, and try to add it to the domain, it still tries to access my DC on the internal network, rather than the RODC in the DMZ. I've done the change as specified here (http://support.microsoft.com/kb/977510?wa=wsignin1.0, i.e. allowing the RODC to be discoverable. I am allowing the following ports between my RODC and DC :
| Service | Source | Destination |
| Ephemeral ports | 49152:65535 | 49152:65535 |
| FRsRPC | 1:65535 | 53248 |
| Kerberos | 1:65535 | 88 |
| LDAP | 1:65535 | 389 |
| SMB | 1:65535 | 445 |
| NTP | 1:65535 | 123 |
| RPCC Endpoint | 1:65535 | 135 |
I have two Sites setup... DMZ and Internal. The RODC is part of the DMZ Site, and the DC is part of the Internal site.
If I run a nltest /dsgetdc:mydomain.local on a computer in the DMZ, the RODC is returned.
Hello,<o:p></o:p>
Need some assistance please..<o:p></o:p>
we had a site 2003 sever running as an AD in an office that was closed- the server was
already taken down when it was removed from GC at the home office. Now it sits disconnected
and I'd like to Demote it using DC PROMO and repurpose it as a member of the
domain. How should I do this without disrupting the current network? DO I need
to have it connected to the domain prior to running DC PROMO?<o:p></o:p>
Thank you,
M
I renewed a domain controller authentication certificate via the certificates snapin.
Are there any other steps for ldap to use the new certificate when the old one expires ?
Do any services need to be restarted, etc?
Hello Experts,
I would like to get a better understanding on Active Directory federation services and how to troubleshoot complex issues that involves a Windows 2008 R2 platfoms
Since I am beginner on ADFS, please indicate all steps to troubleshoot ADFS issues, i have a company who has diferent partners and UAG.Sharepoint, FIM, so son
Some external or federated users are unable to access our portal , and what is the correct procedure to isolate this issues? [UAG,FIM Servers, AD, ADFS}
Please in additon to MS websites, blogs, etc, make sure to highlight all steps to troubleshoot all ADFS related issues
Thanks in advance
Franki
HI,
DC is windows 2008R2 sp1 and windows 2003r2 sp2 environment - a total of 10 DCs across multiple offices.
recently noticed that in dsa.msc, it appear that there are duplicate user ids,
sjones
sjonesrCNF:4bc902f5-64ab-4417-87b3-c8fc4bcd7616
I have the following questions:
interested in knowing how this happened, ways to troubleshoot this
how to fix this error and
what needs to be implemented to avoid this repeat.
which user id created first ? I presume this ---> user id was originally created first sjonesrCNF:4bc902f5-64ab-4417-87b3-c8fc4bcd7616. IF i am incorrect let me know. Can this ID be safely deleted from AD and what tool is recommend and syntex to remove this object.
JOe
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
Zakaria Khan
Everything I'm able to find about adding a new 2008 server into an existing 2003 AD talks about upgrading and cleanly transferring FSMO roles onto the newest OS in the domain/forest. I understand the schema may have to be extended, but is this a requirement?
I just want a local site DC/DNS server, without having to install Server 2003. An upgrade/replacement is due for the other DCs, but not on my timeline. That will be maybe Q2 or Q3...and I'm looking at this week for getting DC/DNS at this site.
My goal is to run DHCP/DNS/AD together, so our desktops at this site will have up-to-date DNS entries for everyone in the domain. I'm trying to wean everyone (especially support personnel) off of IP addresses.
Particulars:
To be clear, I am not a data center like other locations. So, I don't want roles transferred here, nor have functionality negatively impacted if/when my single server goes down for any reason.
I'm a domain admin on Windows Server 2012 and I cannot delete any AD object...in ADSI Edit
The delete button is grayed, any idea ?
Serge Luca; SharePoint MVP ; blog: http://sergeluca.wordpress.com/ ICT7 http://twitter.com/sergeluca
Really simple question. How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?
Would it be as simple as getting the user to run klist on their local machine? Because klist will not show NTLM tickets correct? It only shows kerberos tickets?
I was told to post here from the Exchange 2010 forum.
We recently installed Exchange 2010 into a Windows
virtualized 2008 TS environment which previously had no Exchange.
Everything was ok at first and then a situation
arose where the DC went into Save mode during Windows 2008 Server backup and authentication problems began - users logged in at time of DC Save state happened were asked to enter credentials and then rejected with correct credentials. Some managed to log back
in after several attempts. Some did not. This problem is now widespread and random even though DC Save has not occurred again. Users are asked for name/password and some are rejected many times before getting in and others get in - and then the users
who could get in can't the next day and vice versa. And as well some time in the middle of a session the user is asked for his name and password and again can either be accepted or rejected after several attempts. The other fact here is that Outlook
Web Access works without a problem for all users. Any ideas as to what is going on?
I have just upgraded all our domain controllers to Windows Server 2008 R2. I plan to raise the Forest/Domain Functional Level to Windows Server 2008 R2.
Will raising the functional levels to Windows 2008 R2 automatically convert my AD replication to DFSR or will it remain usiing FRS and require me to migrate it to DFSR as a completely separate task at a later date?
Hi All,
We've some PCs out at a remote site, where we've just installed a Domain Controller, and a few have shown some AD-related issues. We find that adding/removing PCs to the domain is an issue. I have to put ABC.local in as the domain when adding. But here in the main site, I don't have to do that. WINS and DNS are installed and running. Most of my DCs are 2008 R2, but I do have 2 older 2003 DCs.
As part of diagnosing, I've run a dcdiag /test:DNS, which has given an error similar to the below (edited slightly for posting), which is what I'm checking into here.
Heres my issue: We've only ever had one domain, and if I lookup the dns zone for domains._msdcs.ABC.local, there is a set of correct sub-records in there, but the SID (I think this is the Domain SID right ?) begins with ae248820-xxxx-xxxx..... you can see that DCDIAG thinks it should be something else.
Inside the live records, I can see _ldap SRV ae248820 records for each domain controller, correctly. I've no idea where this other SID is coming from.
So: Is this the domain SID? How do I verify the correct SID? and... what do I do about it ?
-----------
Running enterprise tests on : ABC.local------------------
Hi ppl,
I am aware of the information that administrators and certain builtin groups are allowed to manipulate objects via ADUC. I found from http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/442cc93b-ef45-410c-a775-e666ba88d48b that all users are allowed to "READ ONLY" access to ADUC. I have a user "test" for whom I hav delegated certain permissions. When I log into my domain controller with that user, I am prompted for administrator credentials. My "test" user is denied access to ADUC. I found out that RSAt/adminpak.msi could grant me access to AD objects but only in a "read only" manner. So what should I do if I want "test" to access ADUC and add/delete/modify objects in ADUC.
Anand Kumar D
This posting is provided "AS IS" with no warranties, and confers no rights.