Active Directory Powershell "internal error..."

Similar Messages

• Trying to delete Active Directory but getting error's

  Hi There, 
  I am trying to delete an Active Directory that I have. I have removed all subscriptions from this Active Directory but now I get the message:
  Directory contains one or more applications that were added by a user or administrator.
  Under the Active Directory, I have no applications (it used to have applications and I have since removed them).
  I don't have any other subscriptions tied to this Active Directory. It could have been used for an Office 365 trial quite a few years ago.
  How can I remove this? Tried almost everything.
  Thanks

  Hello,
  A Global Administrator can delete an Azure AD directory from the Azure Management Portal. When a directory is deleted, all resources contained in the directory are also deleted; so you should be sure you don’t need the directory before you delete it.
  ERROR:  Directory has one or more applications
  If you get this error message you may have applications associated with the directory, in order to proceed with the deletion of the directory you must ensure these are removed.
  If you select the Applications pane within Azure Active Directory check the applications, and if they are not required then proceed with deleting them. If no applications are visible then you may find that you have ‘hidden’ applications that are not yet
  exposed via the UI.
  In order to delete this, you will need to use Azure Active Directory PowerShell module. You can download this (Manage Azure AD using Windows PowerShell)
  Once you have downloaded the required components and successfully installed them go ahead and launch a Powershell Console
  Connect -MsolService
  Enter your global admin credentials {example:
  [email protected]}
  It is important to note here that you wont be able to login using a Microsoft Account aka Live ID and so if this is the only identity you have. create a work account aka organizational account in the directory first to perform this action which you can
  delete once finished.
  Get -MsolServicePrincipal | Select DisplayName
  This will then show you what applications you have listed, some of which are require and won’t be able to be removed. if you don’t need any of the applications listed you can go ahead and remove them
  Get -MsolServicePrincipal | Remove-MsolServicePrincipal
  NOTE:
  You will find that some error (red text will be displayed) ignore that, those ones are service side service principals but they are white-listed and the deletion will work with them present.
  If this then fails, take a look at the PowerShell MSONLINE Log Files and if you still need further guidance, ensure to attach that to the support incident as it is super helpful to the support engineering teams when investigating the problem your having.
  These files can be found “C:\Users\%username%\AppData\Local\Microsoft\Office365\Powershell\”
  Regards,
  Neelesh.

• The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error. : Error: An Active Directory Constraint Violation error occurred

  Hello,
  We have a multi domain parent child AD domain infrastructure and now we upgraded our exchange from Exchange 2007 to Exchange 2013. Since last few days, we see the below error on the mailbox server event viewer.
  EVENT ID : 1121
  The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error. 
  Request GUID: '93a7d1ca-68a1-4cd9-9edb-a4ce2f7bb4cd' 
  Database GUID: '83d028ec-439d-4904-a0e4-1d3bc0f58809' 
  Error: An Active Directory Constraint Violation error occurred on <domain controller FQDN>. Additional information: The name reference is invalid. 
  This may be caused by replication latency between Active Directory domain controllers. 
  Active directory response: 000020B5: AtrErr: DSID-0315286E, #1:
  Our Exchange setup is in parent domain, but we keep on getting this error for various domain controllers in each child domain in the same site. We then configured one of the parent domain domain controller on Exchange. Still we are getting this error for
  the configured parent domain DC.
  Verified the AD replication and there is no latency or pending stuffs.
  Any support  to resolve this issue will be highly appreciated. Thank you in advance.
  Regards,
  Jnana R Dash

  Hi,
  In addition to Ed's suggestion, I would like to clarify the following things for troubleshooting:
  1. Please restart IIS at first.
  2. If the issue persists, please ping your DC on your Exchange server to check if Exchange can communicate with DC.
  Hope it helps.
  Best regards,
  Amy Wang
  TechNet Community Support

• OBIEE 11g Active Directory Presentation Service Error retrieving user

  Hi Team,
  It was a great help from all of you on our OBIEE learnings.
  I recently configured Microsoft AD on Weblogic rather than RPD. But felt like I am in a desert of helplessness due to the complicated and lengthy documents and settings :(
  Still when I configured everything and logged in to presentation services using AD Credentials, observed following error!
  Error retrieving user/group data from Oracle BI Server's User Population API.
  Error Details
  Error Codes: GDU6UYHS:OPR4ONWY:U9IM8TAC:OI2DL65P:SDKE4UTF
  Odbc driver returned an error (SQLExecDirectW).
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 13049] User 'gp06108' with 'oracle.bi.publisher.scheduleReport;AtAGlance;oracle.bi.publisher.accessReportOutput;_all_;oracle.bi.publisher.accessExcelReportAnalyzer;_all_;oracle.epm.financialreporting.accessReporting;Explore;oracle.bi.publisher.accessOnlineReportAnalyzer;EPM_Essbase_Filter;oracle.bi.publisher.runReportOnline;oracle.as.scheduler.security.MetadataPermission' permission can not query user population.Please have your System Administrator look at the log for more details on this error. (HY000)
  Please have your System Administrator look at the log for more details on this error.
  Expression: privileges['Admin: Catalog']['Change Permissions']
  Total blockout! Anyone faced this issue earlier

  You need a user to be present in your Active Directory Base DN that will be used as the BISystemUser. You will either have to create this user in AD or use an existing AD user and then specify its credentials in Enterprise Manager (expand Weblogic Domain > bifoundation_domain (right click) > Security > Credentials). You will need to set system.user credential under oracle.bi.system map. Make sure your AD user's password never expires or you will run into problems in a few weeks time!
  Paul

• Active Directory password change error

  I have about 10 Macs running 10.4.11 that are bound to Active Directory (Windows 2000 Server).
  Users see the warning that their password is about to expire. However, for users who have a local account on the machine, when they attempt to change their password via System Prefs, only the local password is changed - the Active Directory password remains unchanged.
  For users who do not have a local account on the machine, this error occurs:
  "You cannot change your password to the password you entered. Your system administrator may not allow you to change your password or there was some other problem with your password."
  We have the following password requirements in place via Group Policy: complexity, length, min age (2 days), max age (90 days), history (last 4 remembered).
  Oddly, I myself am able to change my Active Directory password just fine via System Prefs. Thinking it was a permissions issue, I created an account with the same AD permissions as mine, but no dice. Oddly, I logged into a different Mac and attempted to change my password there, but received the above error. So not only am I the only one able to change their password, but I can only do this on one of the computers.
  Can anyone explain what exactly happens after you click the "change password" button, in terms of what kind of request is sent to our domain controller, and how the domain controller handles that? I'm hoping maybe that will help me to understand what is going wrong.
  Thanks.

  count me in on the issue as well. this has not always been the case for us. the console shows the directory services crashing and making a crash report. i'd really appreciate a fix for this.
  Below is the activity from the console log upon attempting to change the pass.
  12/8/08 12:19:17 PM ReportCrash[1045] Formulating crash report for process DirectoryService[857]
  12/8/08 12:19:17 PM com.apple.launchd[1] (com.apple.DirectoryServices[857]) Exited abnormally: Segmentation fault
  12/8/08 12:19:17 PM DirectoryService[1046] Launched version 5.5 (v514.23)
  12/8/08 12:19:17 PM DirectoryService[1046] Improper shutdown detected
  12/8/08 12:19:17 PM ReportCrash[1045] Saved crashreport to /Library/Logs/CrashReporter/DirectoryService2008-12-08-121916localhost.crash using uid: 0 gid: 0, euid: 0 egid: 0
  12/8/08 12:19:21 PM com.apple.DirectoryServices[1046] Enter machine password:
  12/8/08 12:19:22 PM com.apple.DirectoryServices[1046] Enter machine password:
  12/8/08 12:19:24 PM com.apple.DirectoryServices[1046] DNS update failed!
  12/8/08 12:19:39 PM com.apple.DirectoryServices[1046] DirectoryService(1046,0xb031c000) malloc: * error for object 0x94de1a40: Non-aligned pointer being freed (2)
  12/8/08 12:19:39 PM DirectoryService[1046] DirectoryService(1046,0xb031c000) malloc: * error for object 0x94de1a40: Non-aligned pointer being freed (2)
  * set a breakpoint in mallocerrorbreak to debug
  12/8/08 12:19:39 PM com.apple.DirectoryServices[1046] * set a breakpoint in mallocerrorbreak to debug
  12/8/08 12:19:39 PM DirectoryService[1046] Failed to changed computer password in Active Directory domain calacademy.org
  12/8/08 12:19:39 PM com.apple.DirectoryServices[1046] Enter machine password:
  12/8/08 12:19:40 PM com.apple.DirectoryServices[1046] Successfully registered hostname with DNS

• Active Directory & PowerShell

  Hi
  I am trying to right a PowerShell script  that compares a csv of usernames and passwords against Active Directory to ensure that the AD password is correct
  Can this be done?
  Many thanks
  Iain

  Nope.
   You cannot read the passwords from AD.  In fact they aren't even stored there.  What is stored is a hash that's calculated from the password prompt when the user sets their password.  When they re-enter the password to log in, it takes
  the entered password, recalculates the hash from that, and compares it to the hash that's stored in AD.
  The password itself is never stored.
  Edit: 
  You can test a set of credentials using the username and password in the csv,
  Function Test-ADAuthentication {
  param($username,$password)
  (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null
  Test-ADAuthentication 'test' 'Password1'
  but you can't simply read the password from AD and compare it to what's in the csv.
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Active Directory Connector server Error

  Dear All,
  I've faced this Exception while i've run AD reconciliation job  , the following is the connector server Error
  ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files (x86)\Identity Connectors\Connector Server
      DateTime=2013-06-26T08:24:23.3332424Z
  ConnectorServer.exe Information: 0 : Started connector server
      DateTime=2013-06-26T08:24:23.3801180Z
  ConnectorServer.exe Information: 0 : Server started on port: 8759
      DateTime=2013-06-26T08:24:23.3957432Z
  ConnectorServer.exe Information: 0 : Stopping connector server
      DateTime=2013-06-26T08:24:53.6617556Z
  ConnectorServer.exe Information: 0 : Stopped connector server
      DateTime=2013-06-26T08:24:53.6930060Z
  ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files (x86)\Identity Connectors\Connector Server
      DateTime=2013-06-26T08:47:53.0780484Z
  ConnectorServer.exe Information: 0 : Server started on port: 8759
      DateTime=2013-06-26T08:47:53.3749291Z
  ConnectorServer.exe Information: 0 : Started connector server
      DateTime=2013-06-26T08:47:53.3749291Z
  ConnectorServer.exe Information: 0 : Creating new pool: ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector )
      DateTime=2013-06-26T13:35:45.8003033Z
  ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: The server is not operational.
     at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.ExecuteQuery(ObjectClass oclass, String query, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 824
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(SearchOp`1 search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1223
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(Object search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1194
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.SearchImpl.Search(ObjectClass oclass, Filter originalFilter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1156
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
     at ___proxy1.Search(ObjectClass , Filter , ResultsHandler , OperationOptions )
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
      DateTime=2013-06-26T13:46:24.7813215Z
  ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: The server does not support the requested critical extension.
     at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.ExecuteQuery(ObjectClass oclass, String query, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 824
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(SearchOp`1 search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1223
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(Object search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1194
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.SearchImpl.Search(ObjectClass oclass, Filter originalFilter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1156
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
     at ___proxy1.Search(ObjectClass , Filter , ResultsHandler , OperationOptions )
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
      DateTime=2013-06-26T13:46:33.2346088Z
  ConnectorServer.exe Error: 0 : System.IO.IOException: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. ---> System.Net.Sockets.SocketException: An established connection was aborted by the software in your host machine
     at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     --- End of inner exception stack trace ---
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     at System.IO.BufferedStream.FlushWrite()
     at System.IO.BufferedStream.Flush()
     at Org.IdentityConnectors.Framework.Impl.Serializer.Binary.BinaryObjectEncoder.Flush() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\SerializerBinary.cs:line 291
     at Org.IdentityConnectors.Framework.Impl.Api.Remote.RemoteFrameworkConnection.Dispose() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiRemote.cs:line 132
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.Run() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 380
      DateTime=2013-06-26T13:46:33.3908618Z
  ConnectorServer.exe Error: 0 : System.IO.IOException: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. ---> System.Net.Sockets.SocketException: An established connection was aborted by the software in your host machine
     at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     --- End of inner exception stack trace ---
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     at System.IO.BufferedStream.FlushWrite()
     at System.IO.BufferedStream.WriteByte(Byte value)
     at Org.IdentityConnectors.Framework.Impl.Serializer.Binary.InternalEncoder.WriteInt(Int32 v) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\SerializerBinary.cs:line 179
     at Org.IdentityConnectors.Framework.Impl.Serializer.Binary.InternalEncoder.WriteObject(ObjectEncoder encoder, Object obj) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\SerializerBinary.cs:line 112
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessRequest() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 462
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.Run() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 370
      DateTime=2013-06-26T13:46:33.3908618Z
  Thanks
  Shereen

  In the troubleshooting section of the guide, couple of reasons for this exception are mentioned. Maybe you can browse through them.
  Troubleshooting

• Bulk create Active Directory Users and Groups in PowerShell using Excel XLSX source file instead of CSV

  Hi Scripting Guy.  I am a Server Administrator who is very familiar with Active Directory, but new to PowerShell.  Like many SysAdmins, I often need to create multiple accounts (ranging from 3-200) and add them multiple groups (ranging
  from 1 - 100).  Previously I used VBS scripts in conjunction with an Excel .XLS file (not CSV file).  Since VBS is essentially out the door and PowerShell is in - I am having to re-create everthing.
  I have written a PowerShell script that bulk creates my users and adds them to their corresponding groups - however, this can only use a CSV file (NOT an XLS file).  I understand that "CSV is much easier to use than Excel worksheets", but
  most times I have three sets of nearly identical groups (for Dev, QA and Prod).  Performing Search and Replace on the Excel template across all four Worksheets ensures the names used are consistent throughout the three environments.
  I know each Excel Worksheet can be exported as a separate CSV file and then use the PowerShell scripts as is, but since I am not the only SysAdmin who will be using these it leads to "unnecessary time lost", not to mention the reality that even
  though you clearly state "These tabs need to be exported using this naming standard" (to work with the PowerShell scripts) that is not the result.
  I've been tasked to find a way to modify my existing PowerShell/CSV scripts to work with Excel spreadsheets/workbooks instead - with no success.  I have run across many articles/forums/scirpts that let you update Excel or export AD data into an Excel
  spreadsheet (even specifying the worksheet, column and row) - but nothing for what I am trying to do.
  I can't imagine that I am the ONLY person who is in this situation/has this need.  So, I am hoping you can help.  How do I modify my existing scripts to reference "use this Excel spreadsheet, and this specific worksheet in the spreadsheet
  prior to performing the New-ADUser/Add-ADGroupMember commands".
  For reference, I am including Worksheet/Column names of my Excel Spreadsheet Template as well as the first part of my PowerShell script.  M-A-N-Y T-H-A-N-K-S in advance.
     Worksheet:  Accounts
       Columns: samAccountName, CN_DisplayName_Name, sn_LastName, givenName_FirstName, Password, Description, TargetOU
     Worksheets:  DevGroups / QAGroups / ProdGroups
       Columns:  GroupName, Members, MemberOf, Description, TargetOU
  # Load PowerShell Active Directory module
  Write-Host "Loading Active Directory PowerShell module." -foregroundcolor DarkCyan # -backgroundcolor Black
  Import-Module ActiveDirectory
  Write-Host " "
  # Set parameter for location of CSV file (so source file only needs to be listed once).
  $path = ".\CreateNewUsers-CSV.csv"
  # Import CSV file as data source for remaining script.
  $csv = Import-Csv -path $path | ForEach-Object {
  # Add '@saccounty.net' suffix to samAccountName for UserPrincipalName
  $userPrincinpal = $_."samAccountName" + "@saccounty.net"
  # Create and configure new AD User Account based on information from the CSV source file.
  Write-Host " "
  Write-Host " "
  Write-Host "Creating and configuring new user account from the CSV source file." -foregroundcolor Cyan # -backgroundcolor Black
  New-ADUser -Name $_."cn_DisplayName_Name" `
  -Path $_."TargetOU" `
  -DisplayName $_."cn_DisplayName_Name" `
  -GivenName $_."givenName_FirstName" `
  -SurName $_."sn_LastName" `
  -SamAccountName $_."samAccountName" `
  -UserPrincipalName $userPrincinpal `

  Here is the same script as a function:
  Function Get-ExcelSheet{
  Param(
  $fileName = 'C:\scripts\test.xls',
  $sheetName = 'csv2'
  $conn = New-Object System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = $fileName;Extended Properties=Excel 8.0")
  $cmd=$conn.CreateCommand()
  $cmd.CommandText="Select * from [$sheetName$]"
  $conn.open()
  $cmd.ExecuteReader()
  It is called like this:
  Get-ExcelSheet -filename c:\temp\myfilename.xslx -sheetName mysheet
  Do NOT change anything in the function and post the exact error.  If you don't have Office installed correctly or are running 64 bits with a 32 bit session you will have to adjust your system.
  ¯\_(ツ)_/¯
  HI JRV,
  My apologies for not responding sooner - I was pulled off onto another project this week.  I have included and called your Get-ExcelSheet function as best as I could...
  # Load PowerShell Active Directory module
  Write-Host "Loading Active Directory PowerShell module." -foregroundcolor DarkCyan # -backgroundcolor Black
  Import-Module ActiveDirectory
  Write-Host " "
  # JRV This Function Loads the Excel Reader
  Function Get-ExcelSheet{
  Param(
  $fileName = 'C:\scripts\test.xls',
  $sheetName = 'csv2'
  $conn = New-Object System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = $fileName;Extended Properties=Excel 8.0")
  $cmd=$conn.CreateCommand()
  $cmd.CommandText="Select * from [$sheetName$]"
  $conn.open()
  $cmd.ExecuteReader()
  # Set parameter for location of CSV file (so source file only needs to be listed once) as well as Worksheet Names.
  $sourceFile = ".\NewDocClass-XLS-Test.xlsx"
  # Add '@saccounty.net' suffix to samAccountName for UserPrincipalName
  $userPrincinpal = $_."samAccountName" + "@saccounty.net"
  # Combine GivenName & SurName for DisplayName
  $displayName = $_."sn_LastName" + ". " + $_."givenName_FirstName"
  # JRV Call the Get-ExcelSheet function, providing FileName and SheetName values
  # Pipe the data from source for remaining script.
  Get-ExcelSheet -filename "E:\AD_Bulk_Update\NewDocClass-XLS-Test.xlsx" -sheetName "Create DocClass Accts" | ForEach-Object {
  # Create and configure new AD User Account based on information from the CSV source file.
  Write-Host " "
  Write-Host " "
  Write-Host "Creating and configuring new user account from the CSV source file." -foregroundcolor Cyan # -backgroundcolor Black
  New-ADUser -Name ($_."sn_LastName" + ". " + $_."givenName_FirstName") `
  -SamAccountName $_."samAccountName" `
  -UserPrincipalName $userPrincinpal `
  -Path $_."TargetOU" `
  Below is the errors I get:
  Exception calling "Open" with "0" argument(s): "The 'Microsoft.Jet.OLEDB.4.0'
  provider is not registered on the local machine."
  At E:\AD_Bulk_Update\Create-BulkADUsers-XLS.ps1:39 char:6
  + $conn.open()
  + ~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : InvalidOperationException
  Exception calling "ExecuteReader" with "0" argument(s): "ExecuteReader
  requires an open and available Connection. The connection's current state is
  closed."
  At E:\AD_Bulk_Update\Create-BulkADUsers-XLS.ps1:40 char:6
  + $cmd.ExecuteReader()
  + ~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : InvalidOperationException

• Error Active Directory Target Reconciliation

  Hi,
  I am trying to run target reconciliation for AD.
  I reconciled 8000 users successfully, but I have 22 users with errors.
  I want to know if the problem is with the AD user attributes or with the OIM.
  I'm getting the following exception:
  INFO,15 Apr 2011 11:22:53,229,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : setTaskSchedulerObjectName : Starting Active Directory Target Reconciliation
  ERROR,15 Apr 2011 11:22:53,687,[OIMCP.ADCS],====================================================
  ERROR,15 Apr 2011 11:22:53,687,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange : null
  ERROR,15 Apr 2011 11:22:53,687,[OIMCP.ADCS],====================================================
  ERROR,15 Apr 2011 11:22:53,688,[OIMCP.ADCS],================= Start Stack Trace =======================
  ERROR,15 Apr 2011 11:22:53,688,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange
  ERROR,15 Apr 2011 11:22:53,688,[OIMCP.ADCS],
  ERROR,15 Apr 2011 11:22:53,689,[OIMCP.ADCS],Description : null
  ERROR,15 Apr 2011 11:22:53,689,[OIMCP.ADCS],Thor.API.Exceptions.IllegalInputException
  at Thor.API.Operations.tcReconciliationOperationsClient.ignoreEvent(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor287.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.security.Security.runAs(Security.java:41)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
  at $Proxy73.ignoreEvent(Unknown Source)
  at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.processUserChange(Unknown Source)
  at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.processBatch(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.performReconciliation(Unknown Source)
  at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.execute(Unknown Source)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.security.Security.runAs(Security.java:41)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:178)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)
  ERROR,15 Apr 2011 11:22:53,689,[OIMCP.ADCS],================= End Stack Trace =======================
  INFO,15 Apr 2011 11:22:53,781,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : execute : End of Active Directory Reconciliation....
  Thanks,
  Ariel

  "Thor.API.Exceptions.IllegalInputException" , this exception tells me that the data which you are reconciling has unsupported characters.
  Validate the data ..
  Thanks
  Suren

• [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

  As we all know, the
  ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
  To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
  System.DirectoryServices.ActiveDirectoryAccessRule class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectoryRights
  class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
  System.Security.AccessControl.AccessControlType class:
  http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectorySecurityInheritance class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
  In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
  we use Active Directory Service Interfaces (ADSI) or
  Active Directory module cmdlets
  with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
  more complex permission settings.
  Method 1: Using ADSI
    1. Get current permissions of an organization unit (OU)
  We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
  $Name = "OU=xxx,DC=com"
  $ADObject = [ADSI]"LDAP://$Name"
  $aclObject = $ADObject.psbase.ObjectSecurity
  $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
  $output=@()
  foreach($acl in $aclList)
  $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
       $info = @{
  'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
  'InheritanceType' = $acl.InheritanceType;
  'ObjectType' = $acl.ObjectType;
  'InheritedObjectType' = $acl.InheritedObjectType;
  'ObjectFlags' = $acl.ObjectFlags;
  'AccessControlType' = $acl.AccessControlType;
  'IdentityReference' = $acl.IdentityReference;
  'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
  'IsInherited' = $acl.IsInherited;
  'InheritanceFlags' = $acl.InheritanceFlags;
  'PropagationFlags' = $acl.PropagationFlags;
  $obj = New-Object -TypeName PSObject -Property $info
  $output+=$obj}
  $output
  In the figure below, you can see the results of running the script above:
  Figure 1．
  2. Assign a computer object with Full Control permission on an OU
  We can use the script below to delegate Full Control permission to the computer objects within an OU:
  $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
  $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
  $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
  $SysManObj.psbase.commitchanges()
  After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
  Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
  You can use the script below to get and assign Full Control permission to a computer object on an OU:
  $acl = get-acl "ad:OU=xxx,DC=com"
  $acl.access #to get access right of the OU
  $computer = get-adcomputer "COMPUTERNAME"
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  # Create a new access control entry to allow access to the OU
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
  # Add the ACE to the ACL, then set the ACL to save the changes
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  Method 3: Using GUID setting
  The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
  that.
  The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
  setting ObjectType field in an object specific ACE to the
  rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
  InheritedObjectType field to the schemaIDGuid of the class.
  We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
  You can use the script below to
  assign the group object with the permission to change user password on all user objects within an OU.
  $acl = get-acl "ad:OU=xxx,DC=com"
  $group = Get-ADgroup xxx
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
  $objectguid = new-object Guid 
  00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
  class
  $inheritedobjectguid = new-object Guid 
  bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
  $type = [System.Security.AccessControl.AccessControlType]
  "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  The figure below shows the result of running the script above:
  Figure 2．
  In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
  $guidChangePassword     
  = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
  $guidLockoutTime        
  = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
  $guidPwdLastSet         
  = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
  $guidComputerObject     
  = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
  $guidUserObject         
  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
  $guidLinkGroupPolicy    
  = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
  $guidGroupPolicyOptions 
  = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
  $guidResetPassword      
  = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
  $guidGroupObject        
  = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
  $guidContactObject      
  = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
  $guidOUObject           
  = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
  $guidPrinterObject      
  = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
  $guidWriteMembers   
      = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
  $guidNull               
  = new-object Guid 00000000-0000-0000-0000-000000000000
  $guidPublicInformation  
  = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
  $guidGeneralInformation 
  = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
  $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
  $guidGroupMembership    
  = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  More information:
  Add Object Specific ACEs using Active Directory Powershell
  http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
  Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
  Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
  If you've got time, check out
  this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
  Sample version 3.0:
  # This is going to be kind of slow, and it will take a few seconds the first time
  # you run it because it has to build the list of GUID <--> Property/Class/etc objects
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
  # Same as the previous command, except limit it to access granted to GroupX
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
  Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
  Get-ADGroup GroupY |
  Get-AccessControlEntry
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
  # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
  That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
  New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
   

• Active Directory - "Failed to Ping Infrastructure Op Master"

  FYI - I've opened this in the AD forum, and it was suggested I move this to SCOM, as it could be that I need to tweak SCOM settings for AD.
  Hello - three of our domain controllers have started to randomly report this error at different times in the day.  There have been three different occurrences from three different domain controllers.   Two of the reporting domain controllers are VM's
  - and one is physical.  Switch logs look clean, no reports of any issues nor any other servers having network issues.  As far as the error - it's being reported from SCOM and I'm wondering if this is a legit error or not.  The Op Master is a
  physical host, not a VM.  Logs on both servers look clean, no sign of network issues.  TIA!!
  AD Op Master Response : Failed to ping Infrastructure Op Master 'servername.
  The default gateway (172.25.x.x) is not pingable.
  AD Replication Monitoring : encountered a runtime error.
  Failed to write the adminDescription attribute of 'CN=servername,CN=,DC=com' to Active Directory.
  The error returned was: 'The object already exists.
  ' (0x80071392)
  Check the access permissions for this object.
  Some more info on this:  
  I've checked AD performance (replication) and it looks like all is well.  The question I have, is that this is also
  the Primary DNS server for our internal networks.  Is it possible that there could be too much traffic (ethernet) on the server and thus it's causing this alert?  So in summary, this server is the PDC Emulator, RID Master, Infrastructure Master AND
  the Primary DNS server.  Our network is comprised of @ 400 servers, 1300 workstations, and a lot of in-house custom applications that who knows generates how many DNS requests....
  Mike Zamborini

  Hello
  I have 4 physical boxes and 4 virtual.
  Most of the alerts are coming from the virtual boxes, but I have one instance where a physical box is reporting the issue too (talking to another physical box).  So I guess I cannot say mines completely virtual.  I can say this, the machines are
  in blades..  Is it possible that I should be digging in on that side?  (note, multiple blade chassis' are involved)
  Mike Zamborini

• Looking for Help with Active Directory Script to Remove a User from msExchDelegateListLink

  I'm struggling to put together an Active Directory Powershell script that will remove a specific user from the msExchDelegateListLink.
  It looks like Set-AdUser would do the trick. I would want to remove a user in the format of
  {CN=Wood\, Sandy,OU=Networking,OU=IT,DC=my,DC=domain,DC=com}
  Has anyone succeeded in doing this before?
  Orange County District Attorney

  I use this:
  $user = '<user name>'
  $userDN = Get-ADUser $user | select -ExpandProperty DistinguishedName
  $delegates = Get-ADUser $user -Properties msExchDelegateListBL |
  select -ExpandProperty msExchDelegateListBL
  foreach ($delegate in $delegates)
  Set-ADUser $delegate -Remove @{msExchDelegateListLink = "$UserDN"}
  Never quite got around to putting it into a function.
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Failed to install Active directory domain services

  Hi,
  I've installed the AD Domain Services on Windows2008R2 by following this guide http://technet.microsoft.com/en-gb/library/cc755059%28WS.10%29.aspx. After click 'Install', step 6, it showed failed to install but there is no clue why it was failed, at all.
  Here is a log I copied from C:\Windows\logs\ServerManager.log
  2204: 2011-01-05 12:57:54.333 [InstallationProgressPage]  Loading progress page...
  2204: 2011-01-05 12:57:54.411 [InstallationProgressPage]  Begining Sync operation...
  2204: 2011-01-05 12:57:54.458 [Sync]                     
  Sync Graph of changed nodes
  ==========
  name     : Active Directory Domain Services
  state    : Changed
  rank     : 1
  sync tech: CBS
  guest[1] : Active Directory Domain Controller
  guest[2] : Identity Management for UNIX
  ant.     : empty
  pred.    : empty
  provider : null
  name     : Active Directory Domain Controller
  state    : Changed
  rank     : 4
  sync tech: CBS
  ant.     : .NET Framework 3.5.1
  pred.    : Active Directory Domain Services, .NET Framework 3.5.1
  provider : Provider
  2204: 2011-01-05 12:57:54.458 [Sync]                      Calling sync provider of Active Directory Domain Controller ...
  2204: 2011-01-05 12:57:54.473 [Provider]                  Sync:: guest: 'Active Directory Domain Controller', guest deleted?: False
  2204: 2011-01-05 12:57:54.473 [Provider]                  Begin installation of 'Active Directory Domain Controller'...
  2204: 2011-01-05 12:57:54.473 [Provider]                  Install: Guest: 'Active Directory Domain Controller', updateElement: 'DirectoryServices-DomainController'
  2204: 2011-01-05 12:57:54.473 [Provider]                  Installation queued for 'Active Directory Domain Controller'.
  2204: 2011-01-05 12:57:54.473 [CBS]                       installing 'DirectoryServices-DomainController ' ...
  2204: 2011-01-05 12:57:55.020 [CBS]                       ...parents that will be auto-installed: 'NetFx3 '
  2204: 2011-01-05 12:57:55.020 [CBS]                       ...default children to turn-off: '<none>'
  2204: 2011-01-05 12:57:55.036 [CBS]                       ...current state of 'DirectoryServices-DomainController': p: Staged, a: Staged, s: UninstallRequested
  2204: 2011-01-05 12:57:55.036 [CBS]                       ...setting state of 'DirectoryServices-DomainController' to 'InstallRequested'
  2204: 2011-01-05 12:57:55.051 [CBS]                       ...current state of 'NetFx3': p: Installed, a: Installed, s: InstallRequested
  2204: 2011-01-05 12:57:55.051 [CBS]                       ...skipping 'NetFx3' because it is already in the desired state.
  2204: 2011-01-05 12:57:55.098 [CBS]                       ...'DirectoryServices-DomainController' : applicability: Applicable
  2204: 2011-01-05 12:57:55.114 [CBS]                       ...'NetFx3' : applicability: Applicable
  2204: 2011-01-05 12:57:55.770 [CbsUIHandler]              Initiate:
  2204: 2011-01-05 12:57:55.770 [InstallationProgressPage]  Installing...
  2204: 2011-01-05 12:58:49.176 [CbsUIHandler]              Error: -2147021879 :
  2204: 2011-01-05 12:58:49.176 [CbsUIHandler]              Terminate:
  2204: 2011-01-05 12:58:49.254 [InstallationProgressPage]  Verifying installation...
  2204: 2011-01-05 12:58:49.270 [CBS]                       ...done installing 'DirectoryServices-DomainController '. Status: -2147021879 (80070bc9)
  2204: 2011-01-05 12:58:49.270 [Provider]                  Skipped configuration of 'Active Directory Domain Controller' because install operation failed.
  2204: 2011-01-05 12:58:49.270 [Provider]                 
  [STAT] ---- CBS Session Consolidation -----
  [STAT] For
            'Active Directory Domain Controller'[STAT] installation(s) took '54.7870005' second(s) total.
  [STAT] Configuration(s) took '0.0003053' second(s) total.
  [STAT] Total time: '54.7873058' second(s).
  2204: 2011-01-05 12:58:49.270 [Provider] Error (Id=0) Sync Result - Success: False, RebootRequired: True, Id: 110
  2204: 2011-01-05 12:58:49.286 [Provider] Error (Id=0) Sync Message - OperationKind: Install, MessageType: Error, MessageCode: -2147021879, Message: <null>, AdditionalMessage: The requested operation failed. A system reboot is required to roll back changes
  made
  2204: 2011-01-05 12:58:49.286 [InstallationProgressPage]  Sync operation completed
  2204: 2011-01-05 12:58:49.286 [InstallationProgressPage]  Performing post install/uninstall discovery...
  2204: 2011-01-05 12:58:49.286 [Provider]                  C:\Windows\system32\ServerManager\Cache\CbsUpdateState.bin does not exist.
  2204: 2011-01-05 12:58:49.286 [CBS]                       IsCacheStillGood: False.
  2204: 2011-01-05 12:58:49.786 [CBS]                       >>>GetUpdateInfo--------------------------------------------------
  2204: 2011-01-05 12:59:46.520 [CBS] Error (Id=0) Function: 'ReadUpdateInfo()->Update_GetInstallState' failed: 80070bc9 (-2147021879)
  2204: 2011-01-05 12:59:46.520 [CBS]                       <<<GetUpdateInfo--------------------------------------------------
  2204: 2011-01-05 12:59:46.598 [DISCOVERY]                 hr: -2147021879 -> reboot required.
  2204: 2011-01-05 12:59:46.739 [InstallationProgressPage]  About to load finish page...
  2204: 2011-01-05 12:59:46.739 [InstallationFinishPage]    Loading finish page
  2204: 2011-01-05 12:59:46.801 [InstallationFinishPage]    Finish page loaded
  I also checked the event viewer, here are the event properties occurred during the installation:
  Initiating changes to turn on update DirectoryServices-DomainController of package DirectoryServices-DomainController-Package. Client id: RMT
  Update Directoryservices-DomainController of package DirectoryServices-DomainController-Package failed to be turned on. Status: 0x80070bc9
  Installation failed. A restart is required.
  Roles:
  Active Directory Domain Services
  Error: The server needs to be restarted to undo the changes
  Please help.
  Thanks,
  balrogz

  Another thing to check is to ensure the server service is up and running.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2014/04/29/can-t-add-the-role-quot-active-directory-domain-services-quot-to-my-2008-r2-server.aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• The Active Directory Domain Services is currently unavailable....printer "unseen"

  I Have a Windows 7 on an Acer Aspire 5742 laptop and an HP LaserjetP1102w. There are two wireless laptops in the household. I am trying to print from Microsoft Word Starter, but it states "No Printers Installed" and if I try to add a printer I get  the message: The Active Directory Domain Services is currently unavailable.
  I can print Self Test/Device configuration sheets (on this the iPv4 reads as 0.0.0.0.), a printer test page and a test print from the HP Print and Scan Doctor.  It is the network  which is not reading the printer.
  I have disabled my firewall, un- and re-installed the printer.  I have also tried to uninstall and reinstall the printer using the Window 7 installer utility. but that tells this printer "is not currently supported by this Wizard"
  I have searched the web for people with the same problem but found nothing that has helped me.  Not to put too fine a point on it I am at my wit's end.
  You are my last resort (no pressure, then!)
  This question was solved.
  View Solution.

  Are the configuration reports with the 0.0.0.0 being printed directly from the printer?  A 0.0.0.0 address indicates the printer is not actually on the network (or at least not getting DHCP information from the router).  The Print and Scan Doctor should not have been able to print to it unless it happened to be connected by a USB cable as well.
  What brand and model is the router?
  Is the wireless light a solid blue light or a flashing blue light?
  You mentioned an Active Directory Domain Services error message.  Outside of corporate networks, this is not an error message you should get.  I suspect there might be a deeper software issue at fault.  Please provide the exact steps you are using to add the printer to generate that error message.
  ↙-----------How do I give Kudos?| How do I mark a post as Solved? ----------------↓

• 802.1x, catalyst, ACS & active directory external DB!

  Hi,
  I'm working with 802.1x over catalyst switch, ACS 3.1 as Radius and external DB users authentication on Ms Active Directory with LDAP.
  My questions are:
  1) Are the only EAP's version supported by catalyst, MD5-EAP and EAP-TLS (not PEAP and LEAP);
  2) The only supported method to authenticate users from ACS to AD is EAP-TLS? is EAP-MD5 not supported over LDAP access protocol?
  3) Can I import the users from Active Directory to Internal ACS data base? (like a RDBMS...)
  thanks,
  Graz.

  I am in a installation with 802.1x.
  I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS
  ACS is validating users against a Microsoft Active directory.
  I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.
  I have install Windows XP Service Pack 2 and patches:
  xp-kb817778-x86-esn
  xp-kb826942-x86-esn
  I have change the switch software to the latest release.
  How can I reduce this delay? Any idea?