Active Directory KCC Intersite Connections
We have 10 AD sites connected via high speed MPLS circuit and all sites are currently part of the DEFAULTIPSITELINK. 3 of the sites have multiple domain controllers and the others have just 1. The Forest and domain functional levels are at Windows Server
2008R2. The KCC has manually created the intersite inbound replication connections but this does not look right to me:
10 sites; Site A to Site J
Site A has inbound connections from a single DC from all other sites
Sites B - J all have a single intersite connection from Site A
I know this uses a spanning tree algorithm but cant find documentation which states exactly what the algorithm uses to determine the auto created connections. Latency to and from each site is pretty much the same. Does these auto generated connections seem
right? I would have expected the intersite connections to have been spread out a bit more evenly.
Thanks
Hi,
Thanks for the info, I had read that document and we are looking to change the AD site links and and create manual connections to ensure we have better optimized replication. 4 of the sites have high speed links and the other 10 or so will have lower speed
links. My thought was to create a new site link called MainSites and add the 4 sites with the high speed links and have them replicate with each other every 60 minutes. I would then like the slower link sites to replicate with the main sites every 2 hours
but am not sure how to configure the site links for these. For instance if I created a site link and added 3 of the slower sites in, do I add one of the main sites into this link as well to ensure they replicate with them or can I only have a site as a member
of a single site link?
Alistair
Similar Messages
-
Active Directory-based VM connection. (Jail 1 user to same VM everytime without IP/HostName)
Greetings, fellow techies!!
I come to you with what may seem as an odd request.
My firm is considering building a thin-client solution for certain clients. We (I) normally operate with ESXi and other VMWare-related solutions. However, we have decided to go via Hyper-V Server 2012 (Core, not Windows Server with a Role) for
this particular scenario. So, enough chatter.
Can anyone please inform me how or even if this can be done?: I would like to use the Hyper-V server as a "pointer" to VMs depending on what username is given. For example: On my thin-client, I would only specify the Hyper-V server. At that
point, I want to enter Windows Domain credentials. Depending on what I enter as username, I want it to go to a certain VM.
Let's say I have 5 VMs in Hyper-V (Hyper-V IP is 192.168.1.200). One of their HostName is Tommy-PC, and its IP is 192.168.1.201. Now when the user boots their thin client, which is pointing to the Hyper-V at 192.168.1.200, he would type his username and
password and it will automatically send him to HostPC "Tommy-PC(192.168.1.201)" without ever typing in or storing the IP or HostName. In a sense it would be ActiveDirectory/User-based connection, where the destination is pre-defined somewhere. Where
is that somewhere?! :)
Thanks in advance for your replies.
Really, anything that will help me make Hyper-V as a HUB of sorts, rather than using RDP with direct IP's/hostnames to the hosts. We want as little user-error-margin as possible; so doing this as a pre-defined rule seems the best route.
*Update*Theory. Just remembered the Personal Virtual Desktop... Or rather I saw it in the AD and remembered haha. So I think if I make the DC into an RDS host or the Hyper-V, via the Remote Desktop Connection Manager, I should be able to point. Let's see!Back in the day I had thin clients that had hard coded RDP connections to a terminal server host.
Each thin client could logon by itself, in which case there was one common session per client, or I could force each user to logon individually.
Again, it all depends on what you are looking for.
I got the impression from your question that you are simply using the Virtual Center client to authenticate users and the VM that they get access to, then delivering a console.
Unless there is a different objective.
I don't think we really understand what you are looking for.
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.
Disclaimer: Attempting change is of your own free will. -
Tips on enabling SSL in Active Directory!!!
Finally I can connect to my Active Directory through SSL connection. I don't know what is wrong with my previous settings because I reinstall the server from scratch. Below is the steps I took:
1. Install Windows 2000 Advanced Server + SP4
2. Install Windows 2000 High Encryption Pack (128-Bits SSL)
3. Install Active Directory Service together with MS DNS Server and Enterprise Certificate Authority Service.
4. Install Windows 2000 Support Tools from Windows 2000 installation CD.
5. Launch ldp.exe and connect to local Active Directory on port 636.
6. It should display the rootDSE content if SSL is working properly.
7. Go to C: drive and get the root CA certificate in root directory. It should be named xxx.crt.
8. Import the certificate into ${JAVA.HOME}/lib/security/cacerts file.
9. Right now everything should be OK.
What surprised me is I didn't follow several 'important' steps suggested by both Microsoft and some other developers in this forum. They are:
1. Open the Domain Controller Policy using the Group Policy Editor.
2. Under Computer Configuration , click Windows Settings .
3. Click Security Settings , and then click Public Key Policies.
4. Click Automatic Certificate Request Settings .
5. Use the wizard to add a policy for Domain Controllers.
I double checked that I didn't enable Automatic Certificate Request Settings. But somehow SSL works. Can somebody explain why?
Regards,
WenBinI am glad that you can benefit from the tips.
Regarding to you question, the answer is like this:
1. A user named David logon
2. You generate the userPrincipal for him - [email protected]
3. Bind to ADS with this userPrincipal and the password he typed in
4. If succeeds, search user container with sAMAccountName=David and meanwhile request any attributes you want. Please refer to JNDI tutorial on how to search LDAP directory and get back some other attributes at the same time.
Hope this help you.
Regards,
WenBin -
Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest
Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
AdamThanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam -
Failed Cluster Validation Wizard - Active Directory
Hi All,
I have a problem creating a cluster that has just got me stumped.
I've created two other clusters at two other sites with exact same hardware and configuration. All worked fine at those location.
For this third location, the cluster build is not going so well.
I have 2 x Dell server for a 2 node cluster, and a Dell SAN. There are iSCSI HBAs and switches for iSCSI and a flat network for the LAN and Management on another switch. The heartbeat is connected via a directly connected cable.
The nodes are running 2012 R2 Core, with latest patches (April 2015).
Firewall is disabled by Group Policy, both on servers and Domain Controller.
The Domain Controller at this site is on the local LAN.
On each future cluster node, the LAN cards can ping the Domain Controller by name and address (using -S to verify the source address). On the DC it can also ping each LAN interface, again both by name and IP. Heartbeat NICs can similarly ping each other.
Using a Management Server on a remote subnet (Domain Account, local admin of all concerned servers, except the DC, and having read/write on the target OU), the Cluster Validation Wizard fails, on one node only.
I'm getting an error message on "System Configuration\Validate Active Directory Configuration" of:
Connectivity to a writable domain controller from node DEN1NTHV02.mycorp.net could not be determined because of this error: Could not get domain controller name from machine DEN1NTHV02.
Node(s) DEN1NTHV01.mycorp.net can reach a writable domain controller.
Node(s) DEN1NTHV02.mycorp.net cannot reach a writable domain controller. Please check connectivity of these nodes to the domain controllers.
The computer accounts are in the same OU, and both are enabled and have no (seeming) other problems.
So, (1) does anyone have any idea, or (2) where can I find the verbose output text of the failed test?Re-check your IP configuration. Ensure the only NICs with a gateway defined is the primary NIC that will be used for client access.
"a flat network for the LAN and Management on another switch. The heartbeat is connected via a directly connected cable."
Just FYI. Though a cross-over cable between the two nodes works for a two-node cluster, it is not recommended if there is even a chance of the cluster going beyond two nodes.
Secondly, from your above statement, it sounds like you have the other, non-iSCSI networks plugged into a single switch. That becomes a single point of failure.
. : | : . : | : . tim -
Snow Leopard and Windows 2003 Active Directory Binding Issues
Ok I have a new imac 27" with snow leopard (completely patched).
I am attempting to join it to an active directory domain.
First the prequel:
* I have opened full traffic to and from the machine and our domain controllers
* I have enabled full logging on the firewall and there are no blocked packets
* I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
* I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
* The domain admin account in question has Enterprise, Schema and Domain Admin rights
* I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
I am getting the following error at the very end of the process:
"Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
I enabled debugging on Directory Services and will post a log in a reply.
Anyone have any ideas? I have been banging my head on this for a week with no luck.Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
obviously machine names, usernames and ip addresses have been munged.
2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
Message was edited by: aelana -
Event ID 91 Could not connect to the Active Directory. Active Directory Certificate Services
Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access.
Event ID: 91
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: DC1.chickbuns.com
Description:
Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
<EventID Qualifiers="49754">91</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-01-07T19:34:00.000000000Z" />
<EventRecordID>819</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>DC1.chickbuns.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_DS_RETRY">
</EventData>
</Event>
:\Users\Administrator>dcdiag /fix
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC1
Starting test: Advertising
Warning: DC1 is not advertising as a time server.
......................... DC1 failed test Advertising
Starting test: FrsEvent
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
......................... DC1 passed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
......................... DC1 passed test Services
Starting test: SystemLog
......................... DC1 passed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : chickbuns
Starting test: CheckSDRefDom
......................... chickbuns passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... chickbuns passed test CrossRefValidation
Running enterprise tests on : chickbuns.com
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
......................... chickbuns.com failed test LocatorCheck
Starting test: Intersite
......................... chickbuns.com passed test Intersite.My test lab one sinle domain controller server 2008 R2 Sp1 and member exchange server is using,the event error 91 is generated as per the technet article http://technet.microsoft.com/en-us/library/cc774525(v=ws.10).aspx the domain
computer and domain users in public key services container is not listed ..
C:\Users\Administrator>netdom /query fsmo
Schema master DC1.chickbuns.com
Domain naming master DC1.chickbuns.com
PDC DC1.chickbuns.com
RID pool manager DC1.chickbuns.com
Infrastructure master DC1.chickbuns.com
The command completed successfully.
Command Line: "dcdiag.exe
/V /D /C /E"
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC1, is a Directory Server.
Home Server = DC1
* Connecting to directory service on server DC1.
DC1.currentTime = 20140110072353.0Z
DC1.highestCommittedUSN = 131148
DC1.isSynchronized = 1
DC1.isGlobalCatalogReady = 1
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=chickbuns,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=chickbuns,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
DC1.currentTime = 20140110072353.0Z
DC1.highestCommittedUSN = 131148
DC1.isSynchronized = 1
DC1.isGlobalCatalogReady = 1
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
===============================================Printing out pDsInfo
GLOBAL:
ulNumServers=1
pszRootDomain=chickbuns.com
pszNC=
pszRootDomainFQDN=DC=chickbuns,DC=com
pszConfigNc=CN=Configuration,DC=chickbuns,DC=com
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
fAdam=0
iSiteOptions=0
dwTombstoneLifeTimeDays=180
dwForestBehaviorVersion=3
HomeServer=0, DC1
SERVER: pServer[0].pszName=DC1
pServer[0].pszGuidDNSName (binding str)=771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
pServer[0].pszDNSName=DC1.chickbuns.com
pServer[0].pszLdapPort=(null)
pServer[0].pszSslPort=(null)
pServer[0].pszDn=CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
pServer[0].pszComputerAccountDn=CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com
pServer[0].uuidObjectGuid=771aab3d-96cd-4fb1-90cd-0899fa6b6207
pServer[0].uuidInvocationId=771aab3d-96cd-4fb1-90cd-0899fa6b6207
pServer[0].iSite=0 (Default-First-Site-Name)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=ea9513a0 01cf0dd4
pServer[0].ftRemoteConnectTime=ea2bca80 01cf0dd4
pServer[0].ppszMaster/FullReplicaNCs:
ppszMaster/FullReplicaNCs[0]=DC=ForestDnsZones,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[1]=DC=DomainDnsZones,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[2]=CN=Schema,CN=Configuration,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[3]=CN=Configuration,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[4]=DC=chickbuns,DC=com
SITES: pSites[0].pszName=Default-First-Site-Name
pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
pSites[0].pszISTG=CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
pSites[0].iSiteOption=0
pSites[0].cServers=1
NC: pNCs[0].pszName=ForestDnsZones
pNCs[0].pszDn=DC=ForestDnsZones,DC=chickbuns,DC=com
pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=5fc582f9-b435-49a1-aa54-41769fc24206,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[0].aCrInfo[0].pszDnsRoot=ForestDnsZones.chickbuns.com
pNCs[0].aCrInfo[0].iSourceServer=0
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=
NC: pNCs[1].pszName=DomainDnsZones
pNCs[1].pszDn=DC=DomainDnsZones,DC=chickbuns,DC=com
pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=9e1c2cb8-b90b-4e9f-90dd-9903f935e4af,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[1].aCrInfo[0].pszDnsRoot=DomainDnsZones.chickbuns.com
pNCs[1].aCrInfo[0].iSourceServer=0
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=
NC: pNCs[2].pszName=Schema
pNCs[2].pszDn=CN=Schema,CN=Configuration,DC=chickbuns,DC=com
pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[2].aCrInfo[0].pszDnsRoot=chickbuns.com
pNCs[2].aCrInfo[0].iSourceServer=0
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=
NC: pNCs[3].pszName=Configuration
pNCs[3].pszDn=CN=Configuration,DC=chickbuns,DC=com
pNCs[3].aCrInfo[0].dwFlags=0x00000201
pNCs[3].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[3].aCrInfo[0].pszDnsRoot=chickbuns.com
pNCs[3].aCrInfo[0].iSourceServer=0
pNCs[3].aCrInfo[0].pszSourceServer=(null)
pNCs[3].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[3].aCrInfo[0].bEnabled=TRUE
pNCs[3].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[3].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[3].aCrInfo[0].pszNetBiosName=(null)
pNCs[3].aCrInfo[0].cReplicas=-1
pNCs[3].aCrInfo[0].aszReplicas=
NC: pNCs[4].pszName=chickbuns
pNCs[4].pszDn=DC=chickbuns,DC=com
pNCs[4].aCrInfo[0].dwFlags=0x00000201
pNCs[4].aCrInfo[0].pszDn=CN=CHICKBUNS,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[4].aCrInfo[0].pszDnsRoot=chickbuns.com
pNCs[4].aCrInfo[0].iSourceServer=0
pNCs[4].aCrInfo[0].pszSourceServer=(null)
pNCs[4].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[4].aCrInfo[0].bEnabled=TRUE
pNCs[4].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[4].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[4].aCrInfo[0].pszNetBiosName=(null)
pNCs[4].aCrInfo[0].cReplicas=-1
pNCs[4].aCrInfo[0].aszReplicas=
5 NC TARGETS: ForestDnsZones, DomainDnsZones, Schema, Configuration, chickbuns,
1 TARGETS: DC1,
=============================================Done Printing pDsInfo
Doing initial required tests
Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Failure Analysis: DC1 ... OK.
* Active Directory RPC Services Check
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC1
Starting test: Advertising
The DC DC1 is advertising itself as a DC and having a DS.
The DC DC1 is advertising as an LDAP server
The DC DC1 is advertising as having a writeable directory
The DC DC1 is advertising as a Key Distribution Center
The DC DC1 is advertising as a time server
The DS DC1 is advertising as a GC.
......................... DC1 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC DC1 for domain chickbuns.com in site Default-First-Site-Name
Checking machine account for DC DC1 on DC DC1.
* SPN found :LDAP/DC1.chickbuns.com/chickbuns.com
* SPN found :LDAP/DC1.chickbuns.com
* SPN found :LDAP/DC1
* SPN found :LDAP/DC1.chickbuns.com/CHICKBUNS
* SPN found :LDAP/771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/771aab3d-96cd-4fb1-90cd-0899fa6b6207/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com
* SPN found :HOST/DC1
* SPN found :HOST/DC1.chickbuns.com/CHICKBUNS
* SPN found :GC/DC1.chickbuns.com/chickbuns.com
[DC1] No security related replication errors were found on this DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
......................... DC1 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC1 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC1 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC1 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC1 on DC DC1.
* SPN found :LDAP/DC1.chickbuns.com/chickbuns.com
* SPN found :LDAP/DC1.chickbuns.com
* SPN found :LDAP/DC1
* SPN found :LDAP/DC1.chickbuns.com/CHICKBUNS
* SPN found :LDAP/771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/771aab3d-96cd-4fb1-90cd-0899fa6b6207/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com
* SPN found :HOST/DC1
* SPN found :HOST/DC1.chickbuns.com/CHICKBUNS
* SPN found :GC/DC1.chickbuns.com/chickbuns.com
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC1.
* Security Permissions Check for
DC=ForestDnsZones,DC=chickbuns,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=chickbuns,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=chickbuns,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=chickbuns,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=chickbuns,DC=com
(Domain,Version 3)
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC1\netlogon
Verified share \\DC1\sysvol
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
DC1 is in domain DC=chickbuns,DC=com
Checking for CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com in domain DC=chickbuns,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com in domain CN=Configuration,DC=chickbuns,DC=com on 1 servers
Object is up-to-date on all servers.
......................... DC1 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was
not entered
......................... DC1 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
DC=ForestDnsZones,DC=chickbuns,DC=com has 1 cursors.
DC=DomainDnsZones,DC=chickbuns,DC=com has 1 cursors.
CN=Schema,CN=Configuration,DC=chickbuns,DC=com has 1 cursors.
CN=Configuration,DC=chickbuns,DC=com has 1 cursors.
DC=chickbuns,DC=com has 1 cursors.
* Replication Latency Check
......................... DC1 passed test Replications
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=chickbuns,DC=com
* Available RID Pool for the Domain is 1600 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
* DC1.chickbuns.com is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com
* rIDAllocationPool is 1100 to 1599
* rIDPreviousAllocationPool is 1100 to 1599
* rIDNextRID: 1103
......................... DC1 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC1 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... DC1 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC1 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... DC1 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com and backlink on
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
are correct.
The system object reference (serverReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=chickbuns,DC=com
and backlink on
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=chickbuns,DC=com
and backlink on CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com are
correct.
......................... DC1 passed test VerifyReferences
Starting test: VerifyReplicas
......................... DC1 passed test VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... DC1 passed test DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : chickbuns
Starting test: CheckSDRefDom
......................... chickbuns passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... chickbuns passed test CrossRefValidation
Running enterprise tests on : chickbuns.com
Starting test: DNS
Test results for domain controllers:
DC: DC1.chickbuns.com
Domain: chickbuns.com
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2008 R2 Enterprise (Service Pack level: 1.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:0C:29:DE:7F:EB
IP Address is static
IP address: 192.168.1.30
DNS servers:
192.168.1.30 (dc1.chickbuns.com.) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
192.168.1.1 (<name unavailable>) [Valid]
TEST: Delegations (Del)
Delegation information for the zone: chickbuns.com.
Delegated domain name: _msdcs.chickbuns.com.
DNS server: dc1.chickbuns.com. IP:192.168.1.30 [Valid]
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone chickbuns.com
Test record dcdiag-test-record deleted successfully in zone chickbuns.com
TEST: Records registration (RReg)
Network Adapter
[00000007] Intel(R) PRO/1000 MT Network Connection:
Matching CNAME record found at DNS server 192.168.1.30:
771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
Matching A record found at DNS server 192.168.1.30:
DC1.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.48c41195-2630-4461-aaef-ec2a63cd8bf3.domains._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._udp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kpasswd._tcp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.Default-First-Site-Name._sites.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.Default-First-Site-Name._sites.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.gc._msdcs.chickbuns.com
Matching A record found at DNS server 192.168.1.30:
gc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_gc._tcp.Default-First-Site-Name._sites.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.pdc._msdcs.chickbuns.com
Total query time:0 min. 3 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:0 min. 6 sec. Total Netuse connection
time:0 min. 0 sec.
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 192.168.1.1 (<name unavailable>)
All tests passed on this DNS server
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 5 sec.
DNS server: 192.168.1.30 (dc1.chickbuns.com.)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS delegation for the domain _msdcs.chickbuns.com. is operational on IP 192.168.1.30
Total query time:0 min. 3 sec., Total WMI connection
time:0 min. 0 sec.
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: chickbuns.com
DC1 PASS PASS PASS PASS PASS PASS n/a
Total Time taken to test all the DCs:0 min. 9 sec.
......................... chickbuns.com passed test DNS
Starting test: LocatorCheck
GC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
PDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
KDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
......................... chickbuns.com passed test LocatorCheck
Starting test: FsmoCheck
GC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
PDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
KDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
......................... chickbuns.com passed test FsmoCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... chickbuns.com passed test Intersite -
Active Directory Services Can't Connect to Domain
I removed Active Directory services form a server running 2012. I then went to reinstall and reconfigure it, but I keep running into issues. When I launch active directory admin center it gives me an error that it can't connect to any domain, and I can't
make any changes. The local server has already been promoted to the domain controller. Here is the output from dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ACSSVR
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ACSSVR
Starting test: Connectivity
......................... ACSSVR passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ACSSVR
Starting test: Advertising
Fatal Error:DsGetDcName (ACSSVR) call failed, error 1355
The Locator could not find the server.
......................... ACSSVR failed test Advertising
Starting test: FrsEvent
......................... ACSSVR passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ACSSVR failed test DFSREvent
Starting test: SysVolCheck
......................... ACSSVR passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/02/2015 12:00:00
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification)
and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
A warning event occurred. EventID: 0x80000734
Time Generated: 03/02/2015 12:00:37
Event String:
The local domain controller could not connect with the following domain controller hosting the following directory partition to resolve distinguished names.
......................... ACSSVR passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ACSSVR passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ACSSVR passed test MachineAccount
Starting test: NCSecDesc
......................... ACSSVR passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\ACSSVR\netlogon)
[ACSSVR] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... ACSSVR failed test NetLogons
Starting test: ObjectsReplicated
......................... ACSSVR passed test ObjectsReplicated
Starting test: Replications
......................... ACSSVR passed test Replications
Starting test: RidManager
......................... ACSSVR passed test RidManager
Starting test: Services
......................... ACSSVR passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:21:34
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:21:58
Event String:
The WinRM service is not listening for WS-Management requests.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:26:01
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:26:01
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:26:16
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000002E
Time Generated: 03/02/2015 11:34:32
Event String:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 03/02/2015 11:34:32
Event String:
The Windows Time service terminated with the following error:
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:35:01
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:39:08
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:39:27
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:39:27
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2015 11:39:40
Event String:
The WinRM service failed to create the following SPNs: WSMAN/ACSSVR.ACS.local; WSMAN/ACSSVR.
A warning event occurred. EventID: 0x0000000C
Time Generated: 03/02/2015 11:39:39
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in
the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0xC000042B
Time Generated: 03/02/2015 11:42:01
Event String:
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 11:44:31
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 11:45:05
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2015 11:55:22
Event String:
The dynamic deletion of the DNS record 'ACS.acsolutionsinc.net. 600 IN A 192.168.56.1' failed on the following DNS server:
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:55:22
Event String:
Name resolution for the name acsolutionsinc.net timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2015 11:55:47
Event String:
The dynamic deletion of the DNS record '_ldap._tcp.ACS.acsolutionsinc.net. 600 IN SRV 0 100 389 ACSSVR.ACS.acsolutionsinc.net.' failed on the following DNS server:
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:55:53
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:55:53
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:59:53
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 12:00:13
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 12:00:13
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2015 12:00:25
Event String:
The WinRM service failed to create the following SPNs: WSMAN/ACSSVR.ACS.local; WSMAN/ACSSVR.
A warning event occurred. EventID: 0x0000000C
Time Generated: 03/02/2015 12:00:25
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in
the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0xC000042B
Time Generated: 03/02/2015 12:02:47
Event String:
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 12:05:17
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 12:05:17
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
......................... ACSSVR failed test SystemLog
Starting test: VerifyReferences
......................... ACSSVR passed test VerifyReferences
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ACS
Starting test: CheckSDRefDom
......................... ACS passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ACS passed test CrossRefValidation
Running enterprise tests on : ACS.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... ACS.local failed test LocatorCheck
Starting test: Intersite
......................... ACS.local passed test Intersite
I've been trying to debug errors one at a time, but I'm having a hard time finding any information that pertains to this issue as a whole. Anything you can tell me about this would be great, thank you for reading.It was the only server in the network, the only dc in the old forest. When I re-installed ad ds I gave the new forest different name, but I guess the old settings are still in the system somewhere conflicting with the new setup? Is there a way to
purge the old setup entirely and start over with ad ds, or am I going to have to re-install the whole OS? Thanks again for the help.
Honestly, the best way to handle this is to rebuild the server. There are many things that are "left behind" when you remove the Domain / Forest from a Domain Controller. In fact many articles will say after using ADMT (active directory migration
tool) you should decommission the original Domain Controller (aka reinstall the OS).
While you could spend more time trying to get that domain controller working, it absolutely is going to be 1) More reliable 2) faster to reinstall the OS on the old domain controller. If you are still leveraging storage, or services on that domain controller,
you will want to back them up, or have a transition plan before reinstalling everything on the server. I have a feeling if you choose to keep troubleshooting this, you will run into more issues down the road.
Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: http://amzn.to/1BnjOmo | Mastering PowerShell Coming in April 2015! -
Active Directory accounts no longer connect to Server
I administrate a small office network.
We have a Windows 2000 Server with active directory and a Windows 2003 Storage Server Appliance. (From Iomega)
After upgrading to 10.4.8 (it seems), our Mac integrated to the Active Directory has had problems connecting to the storage server.
When attempt to connect to smb://storage (the 2003 server appliance) we get a Error code -36 -- could not be read or written.
This only happens when logged into an AD account. Local accounts on the machine access the server as normal.
Also of note, the AD accounts have no problems accessing shares on the 2000 server.
Any ideas why this is only effecting AD accounts and a solution?There are a couple of things you can check...
1. Check to make sure that the SMB signing option is disabled for the Windows 2003 Storage appliance. This can be done in the local group policy on the Server.
2. If it is a storage appliance, you should be able to run Microsoft's Services for Macintosh. This would give you AFP on the file server - a potential way to eliminate the need for using SMB on the Macs.
3. Use a 3rd party software on the Windows 2003 Storace Server called ExtremeZ-IP by Group Logic. It is a full featured AFP/IP file server for Windows (replacing SFM). We have an HP DL380 NAS device on our network (running Windows 2003 Storage Edition) that has 1.5 TB of storage for our MAc users. We use ExtremeZ-IP... I have nothing bu great things to say for it... -
hi, I'm using windows server 2012 R2 and I was Just wondering how to make the Remote Desktop enable connection through domain\administrator before actually creating the domain... In other words, I wanted to create an Active Directory Domain User and connect
to the server from the RDP. The problem is that I can only connect through the RDP considering that I'm using Windows Azure, so the physical server isn't actually sitting on my desk... Anyway when I create an AD DS the system automatically reboots and I'm
not able to connect to it anymore, so all I need to do right now is enable somehow the Remote Desktop Services to connect through "Domain\Administrator" before I actually create the AD DS and assign it to my server so that when the system reboots
and I open the RDP I can connect to the server.
Thanks in advance.Hi,
Thank you for posting in Windows Server Forum.
As per your comment, it seems that you are managing the server with .RDP file. I can suggest you to run
"Remote Desktop Connection Manager” for maintaining server. With that you can specify the credential for domain\administrator and when you setup the AD DS, after that you can open the connection through domain\administrator and not as local user.
Hope it helps!
Thanks,
Dharmesh -
Connected to Domain but can't log in using Actived Directory Credentials
Hey everyone. I've been working on this issue for two weeks now, and I don't know what else to try. I'm connected to my domain but cannot get my Macbooks to log in using Active Directory credenitals both through our wireless network, and hard wired with an ethernet cable. The weird part about it is that it is not uniform all across our network. This only happens to certain Macbooks and as of right now there doesn't seem to be a pattern. I can say that it has happened to all new Macbook Pros that we have ordered lately though.
We use Jamf to manage our Macs on our network, and ever since upgrading to a new version (9.01 and now 9.1) we have had this issue. However I can't connect after manually adding the domain either, so for now it makes me think it is not a Jamf issue. Has anyone dealt with this issue before, that might know of a fix? Thanks!Hi Burnettb1,
I have come across a similar issue as yours. I have included the instructions that I use to bind the Mac at my institution. In regards to wifi, I have not tried binding the Mac over wifi. Should you need to log in to a Mac with domain user credentials I would suggest to bind the Mac over ethernet. Once you get to the:
*Click on triangle to the left of Show Advanced Options to expand"
portion of the instructions click on the Mappings tab and select the checkbox for creating a mobile account at login. This will create a domain user profile on the machine that you can log into when not connected to the domain.
Hope this helps.
BIND iMac:
Login into iMac using administrative credentials
Open System Preferences
*Goto Users & Groups
*Click on lock in lower left-hand corner
*Use same password used to log into iMac
*Click on Login Options
*Click on ‘Join...’ button right of "Network Account Server: "
*Click on ‘Open Directory Utility…’ button
*Click on lock in lower left-hand corner
*use same password used to log into iMac and click on Modify Configuration
*Double-click on Active Directory
Active Directory Domain = domain
Computer ID = name of Mac
*Click on triangle to the left of Show Advanced Options to expand
*Click on Administrative tab
*Check Prefer this domain server
Type domainserver_ipaddr -or- servername.domain in this field
*Click on ‘Bind…’ button
*When prompted for network administrator login
username = [domain admin user]
pwd = [domain user password]
*Click OK (Note: search path will be updating. Until completed the ‘OK’
button will be greyed out
*Click OK
*Click lock to lock and close window
*Click lock to lock and close window
BIND CHECK:
*Search AD for added mac host - it should be there.
Open Terminal app by either:
1)
*Press command+spacebar
*Type Terminal and select app
2)
*Click on desktop
*Press shift+command+A
*Goto Utilities folder located within Application folder (which you should
be in) and open Terminal
*Once Terminal is opened type in id [domain username] and press return key. The output should be
some some network account information
*Close app by pressing command+Q and any other opened windows
*Restart iMac
*Log in -
Can't connect to Small Business Server 2003 via Active Directory
I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!Hi Andbrowny, thanks for your response.
Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB. -
hello
I try to connect my active directory server but i get this message all the time
Problem with javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
this is what y do :
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.1.10.2:389");
env.put(Context.SECURITY_PRINCIPAL, "cn=administrator, ou=Users, dc=ghh, dc=ch-havre, dc=fr");
env.put(Context.SECURITY_CREDENTIALS, "oleole");
boolean bAuthorise = false ;
try {
DirContext ctx = new InitialDirContext(env);
bAuthorise = true ;
ctx.close();
catch (NamingException e ) {
System.err.println("Problem with " + e);
bAuthorise = false ;
if (bAuthorise){System.out.println ("l'utilisateur est authorise");}
else {System.out.println ("l'utilisateur n'est pas authorise");}
I'm not totaly sure about Context.SECURITY_PRINCIPAL
where can i retrieve those informations on my AD server ??Context.SECURITY_PRINCIPAL is actually the DN(Distinguished Name) of the user.
try using a AD client if available to retrieve the correct DN of the user. -
Unable to connect to Active directory from obiee 11g
Hi Gurus,
I was trying to integrate Active directory into OBIEE 11g. Followed the Oracle documentation and Rittman Mead too but cannot get past a connection issue. I create a new provider,provide the connection details,use bissytemuser in AD as the Principal but when WLS is bounced/restarted, it fails to connect and throws the below error:
"Cannot initialize identity store, cause: oracle.security.idm.ConfigurationException: javax.naming.CommunicationException: <hostname>:389 [Root exception is java.net.UnknownHostException: <hostname>]".
Not sure if this makes a difference but admin and managed server come up but not analytics.
Please help me out with scenarios to test if my bi server is connecting to AD or not?
Thanks,
DanTo answer this need more details.
btw: I would suggest to check these
Property Name=virtualize
Value=true
and
Control Flag list to OPTIONAL
you may send me email -
Hi all,
In advance i`m thankful for your help,
I come across a problem while migrating the Active Directory from Windows Server 2003 to Windows Server 2008 R2,
SharePoint 2010 is getting this error Cannot connect to the configuration database. The same goes for the Administrative page,
Nothing is change in the MySql database, same log in, same server name, i guess it have something to do with the SharePoint Farm,
My question is will reinstalling the SharePoint do the job? Or is there an easy way to get back on my old track?
I`ve try to sync users... no good
PS C:\Users\administrator.SERVERM> if($configManager.IsSynchronizationRunning()
-eq $false)
>> {
>> $configManager.StartSynchronization($true)
>> Write-Host "Started Synchronizing"
>> }
>> else
>> {
>> Write-Host "Already Synchronizing"
>> }
>>
Can someone explain a little bit more about this:
6.
Can they talk to each other?
Verify that SharePoint is using the correct IP address for the SQL server. To do this, run the ping command on the Windows SharePoint Services server.
Verify that the SharePoint server is obtaining the correct IP address for the SQL server from DNS. To do this, run the
nslookup command from the SharePoint Server.
Make sure that there are no incorrect entries for the SQL server. To do this, examine the Hosts file on the SharePoint server. This file is in the following location:
%systemroot%\system32\drivers\etc\Hosts
On the SharePoint server, look for SQL client aliases. To do this, follow these steps: Click
Start, click Run, and then type cliconfg in the
open box.
Click the Alias tab. By default, there are no SQL client aliases. If you have any aliases for the SQL server, verify that they are correct, or remove them.
Open the SQL Server Configuration Manager (Start SQL Server 2008 Configuration Tools SQL Server Configuration Manager
Navigate to the SQL Server Network Configuration Protocols for MSSQLSERVER node in the tree view
Enable TCP/IP and Named Pipes (you’ll be warned that these changes will not apply until the service is shut down)
Aleksandar Delcevski, Web-administrator School of Journalism and Public Relations Jurij Gagarin 17-1/1, 1000 Skopje, R. Macedonia t: + 389 2 3090 004 mob: +38972 257 565 [email protected]; www.vs.edu.mk; www.medium.edu.mk; www.unescochair-vs.edu.mkHiya,
I don't think it is necessary to reinstall.
You should just confirm that your basic infrastructure is working.
1: On the SharePoint server, open cmd and write ping <SQL server name>
2: On the SharePoint server, open cmd and write nslookup <SQL server name>
Basically the steps outlined here, is the best way to start:
6.
Can they talk to each other?
Verify that SharePoint is using the correct IP address for the SQL server. To do this, run the ping command on the Windows SharePoint Services server.
Verify that the SharePoint server is obtaining the correct IP address for the SQL server from DNS. To do this, run the
nslookup command from the SharePoint Server.
Make sure that there are no incorrect entries for the SQL server. To do this, examine the Hosts file on the SharePoint server. This file is in the following location:
%systemroot%\system32\drivers\etc\Hosts
On the SharePoint server, look for SQL client aliases. To do this, follow these steps: Click
Start, click Run, and then type cliconfg in the
open box.
Click the Alias tab. By default, there are no SQL client aliases. If you have any aliases for the SQL server, verify that they are correct, or remove them.
Open the SQL Server Configuration Manager (Start SQL Server 2008 Configuration Tools SQL Server Configuration Manager
Navigate to the SQL Server Network Configuration Protocols for MSSQLSERVER node in the tree view
Enable TCP/IP and Named Pipes (you’ll be warned that these changes will not apply until the service is shut down)
Maybe you are looking for
-
My IPhone 5 broke, what phone will they replace it with?
My Phone 5 broke (screen, no fault of my own) anyway, I rung Apple and went through everything I had to and tried resetting it however it still kept going white, anyway, I'm going to visit the apple store Tuesday, where the man said they will replace
-
Import & Export_Really Messed Up !!!
Not sure what happened... -but something's gotten screwed up really bad w/ both my import AND export settings in Flash (running Flash MX Pro 2004). I was in the process of importing a .MOV movie (created in Sony Vegas Movie Studio (v8.0), to be expor
-
Moving Transport Set from 9.0.4 to 10.1.2.0.0 environment
Hi, I am moving transport set from 9.0.4 environment to 10.1.2.0.0 environment. But when I import it on 10.1.2.0.0 environment I get the compatibility error, I am using imp.sh to import. Following error occurs when I try to import: Checking for Porta
-
Can anyone explain what the 'other' storage consists of and how I can decrease the size please?
Can anyone explain what the 'other' storage consists of and how I can decrease the size please?
-
What are you using Catalyst for?
Since we can't do polls, I thought we could answer in a discussion. Here are the choices: 1) Prototyping 2) Flex Application design 3) Widget design (embedded in a web page) 4) Complete site design I'll start: I use it mostly for 1) Prototyping and