Active Directory RDP Logon Issue

Similar Messages

• Active directory SYSVOL replication issues

  Hello. 
  I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
  error in the event viewer:
  Error: 4012 on DC1
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
  (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
  Error: 2213 on DC2
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
  WMI method to resume replication. 
  This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3. 
  How can I restore correct DFS replication between DC1 & DC2? I've read
  this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
  Any idea, how I can proceed further here?

  Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
  The Problem
  We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
  controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
  for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
  there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
  add the NEWDC01 server to domain properly.
  Analysis
  There are several errors related to DFSR replication on both domain controllers:
  Error: 4012 on OLDDC01
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
  This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
  until this error is corrected.
  Error: 2213 on OLDDC02
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
  is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
  In order to have active directory in a healthy condition, one must ensure, there’s a successful
  replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
  group policies and logon scripts are not applied correctly, or as intended
  when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
  server is promoted to be a domain controller)
  Active directory backup
  I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
  I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
  Active directory restore
  In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
  rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
  sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
  days, the SYSVOL share was excluded from the DFSR replications.
  Find out the most accurate SYSVOL share in the domain
  I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
  Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
  that this server contains the most recent version of the SYSVOL share.
  There are 2 types of SYSVOL restores, you can do:
  Authoritative restore
  Non-authoritative restore
  Non-authoritative restore
  This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
  that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
  Authoritative restore
  In this case, you can designate a specific domain controller to be authoritative. You set a special
  flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
  using the non-authoritative procedure.
  In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
  http://support.microsoft.com/kb/2218556.
  In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
  have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
  Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
  event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
  Recovery Steps
  1. Back up the files in all replicated folders on the volume. Failure to do
  so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
  2. To resume the replication for this volume, use the WMI method ResumeReplication
  of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
  wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
  where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
  For more information, see http://support.microsoft.com/kb/2663685.
  Final words
  After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
  servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
  and now I see, that local client is using local Domain controller for authentication.
  Everything seems to be OK now.

• DNS, Certificates, and Active Directory - School Setup Issues

  Our school has been piloting a small iPad depolyment.  I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
  1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
  2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
  3. About 90 iPads, and a handfull of Mac desktops
  In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
  However, this is not the case.  The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
  a.) DNS service on the Mac server turns itself ON randomly.  DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
  b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
  c.) AD binding breaks randomly and I have to rebind the server to AD
  d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
  I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

  Yes, I am not giving the real domain name here.
  No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
  Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
  Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
  In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
  So you have set DNS forwarders on the Mac machine?
  I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
  On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
  Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
  Lookup has started…
  Trying "example.com"
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  ;; QUESTION SECTION:
  ;example.com.                   IN        ANY
  ;; ANSWER SECTION:
  example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
  example.com.     10800          IN         NS          server.example.com.
  example.com.     10800          IN         MX          10 server.example.com.
  ;; ADDITIONAL SECTION:
  server.example.com. 10800       IN          A          192.168.1.20
  Received 145 bytes from 127.0.0.1#53 in 2 ms

• Active Directory credential caching issues under OS X 10.5.5 (and 10.5.4)

  We are experiencing issues with cached credentials and login delays using the Active Directory DirectoryServices plugin under 10.5. In our case, the plugin works fine as long as the system is on one of our networks, and credential caching works when the system is disconnected. Everything is repeatable, scripted and reasonably well tested. We're pretty happy with how it's working on-site. Once a system leaves our network however, as laptops tend to do, it is not possible to log in without a massive delay. Looking into the issue, I have determined that the following contribute to the problem:
  1) There are 9 active directory servers in our "/Library/Preferences/DirectoryServices/ActiveDirectoryDynamicData.plist" file.
  2) The timeout appears to be 90 seconds, according to the string value of the LDAP Connection Timeout element in "/Library/Preferences/DirectoryServices/ActiveDirectory.plist".
  The login delay does seems to coincide with the value of 90 seconds multiplied by the number of AD servers, about 13 1/2 minutes. Changing the value of the LDAP Connection Timeout does not seem to resolve the issue, even after a reboot. Moving the ActiveDirectoryDynamicData.plist file out of the way (to prevent the system from contacting any AD servers) does not seem to resolve the issue either. I'd like the ability to force cached credentials without the AD delay. Is this possible to change this value without rebooting, or at least without patching the binaries?
  I am currently testing on a MacBook Air with 10.5.5, and the following procedure was used from the command line to configure AD (note that you'd need to replace the AD username, OU, and domain values):
  dsconfigad -a `hostname -s` -u "ad-admin-user-replaceme" -ou "OU=Whatever, OU=You, OU=Have" -domain=example.com -mobile enable -mobileconfig disable -useuncpath disable
  dscl -q localhost -create /Search SearchPolicy ds AttrTypeStandard:CSPSearchPath
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
  plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
  Reboot and all seems to be working for us, except when the systems leave our network.
  Note that the last command (plutil) is not strictly necessary, but the DirectoryService utility seems to write the file in xml1 format, so this makes things consistent with what Apple is doing and hopefully less likely to break anything.

  As silly as it seems to respond to one's own posts, I think I've found a solution. Using the first set of commands at the bottom of this post, I disable Active Directory authentication (and ensure that LDAPv3 is disabled as well). This seems to still allow for cached credentials to function, since AD is still in the search path. Although there is still a rather long 2 minute initial delay on the MacBook Air, it seems to work and is nowhere near 13 1/2 minutes. Interestingly enough, it seems to work with little delay on a test Powerbook G4 using the same baseline configuration with little to no delay.
  My plan is to push this out through my update mechanism as a cron job every 5 minutes, with a script that detects whether it's on one of our networks. The cron job will also be run on bootup so systems initially booted shouldn't need to suffer a 13.5 minute delay. This could be made better with a mechanism that could launch a script when the network interface came up or went down, I'll look at launchd for clues. If you have any comments feel free to reply...
  Commands executed on networks which cannot access our AD servers:
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive"
  /usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 0" /Library/Preferences/DirectoryService/ActiveDirectory.plist
  Commands executed when a system is back on one of our networks:
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
  /usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 90" /Library/Preferences/DirectoryService/ActiveDirectory.plist

• Active directory account lockout issue

  I have 1 main AD server which is on windows 2003 R2 and all users are authenticated from this server and second ADC i.e backup ADC which is on windows 2003 R2, we have 3rd ADC on windows 2008 R2 which is created for Exchange 2010 on windows
  2008R2,
  Users are getting Account lock out issue randomly.
  Can any one help on this.
   

  Hi,
  You can start with the below threads to see if you have prepared to determine lockouts sources.
  http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx
  Use Lokoutstatus from Altools (http://www.microsoft.com/en-us/download/details.aspx?id=18465) then check the source DC where lockouts are being reported. Use the event viewer on
  that DC and look for "failure audits" for that particular user acocunt or during that time frame reported on lockoutstatus. Use the event description to find the source workstations/server where the lockout is coming from and verify that server for
  any (disconnect RDP sessions, credentials manager, services running with domain accounts,applications,etc).
  Hope this helps.
  Regards,
  Calin

• Active Directory Migration Tool Issue

  Hi,
  I am currently doing a pilot to migrate users from a Windows Server 2003 Forest (2000 FFL, 2003 DFL) into Windows Server 2008 R2 (2008R2 FFL, 2008R2 DFL).
  There is an External Trust setup between the 2 forests.
  Having successfully migrated some test users and groups from Source to Target domain, I am able to access resources on a file server located in the Source domain (due to SID history being migrated along with SID Filtering being disabled)
  My issue is that I want to now use the Security Translation Wizard to add the newly migrated users and groups to the Source File Servers ACLs, Registry etc.
  ADMT is installed on a Target DC and when I run the Security Translation wizard it fails and the log shows the below...
  Details for DC01.SourceDomain
  Local Machine
      Computer:   DC01.SourceDomain (DC01)
          Domain:    DC01 (DC01)
          OS:         Microsoft Windows Server 2003 R2 5.2 (3790) Service Pack 2
  2012-03-08 15:57:47 Starting Security Translator.
  2012-03-08 15:57:47 Agent is running in local mode.
  2012-03-08 15:57:47 ERR3:7194 Could not open input file C:\Program Files\OnePointDomainAgent\Accounts000026.txt
  2012-03-08 15:57:47 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes TranslationMode:Add CWN WIRRAL.NHS.UK
  2012-03-08 15:57:47 Starting
  2012-03-08 15:57:47 Translating local machine.
  2012-03-08 15:57:48 Skipping A:\, rc=21   The device is not ready.
  2012-03-08 15:57:48 Processing C:\
  2012-03-08 15:57:51 Skipping D:\.  D:\ is a CD-ROM drive.
  2012-03-08 15:57:51 Processing E:\
  2012-03-08 15:57:51 Processing shares on local machine.
  2012-03-08 15:57:51 Processing printer security...
  2012-03-08 15:57:51 Translating local groups.
  2012-03-08 15:57:51 Translating user rights.
  2012-03-08 15:57:51 Translating security on registry keys.
  2012-03-08 15:58:11 ------Account Detail---------
  2012-03-08 15:58:11 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
  2012-03-08 15:58:11 -----------------------------
  2012-03-08 15:58:11 0 users, 0 groups, 0 msas
  2012-03-08 15:58:11 0 accounts selected.  0 resolved, 0 unresolved.
  2012-03-08 15:58:11            Examined        Changed     Unchanged
  2012-03-08 15:58:11 Files          11755              0         11755
  2012-03-08 15:58:11 Dirs            1071              0          1071
  2012-03-08 15:58:11 Shares             4              0             4
  2012-03-08 15:58:11 Members           15              0            15
  2012-03-08 15:58:11 User Rights       61              0            61
  2012-03-08 15:58:11 Exchange Objects          0              0             0
  2012-03-08 15:58:11 Containers         0              0             0
  2012-03-08 15:58:11 DACLs         123187              0        123187
  2012-03-08 15:58:11 SACLs             63              0            63
  2012-03-08 15:58:11            Examined        Changed     No Target   Not Selected     Unknown
  2012-03-08 15:58:11 Owners       123189              0        123189             
  0           0
  2012-03-08 15:58:11 Groups       123189              0        123189             
  0           0
  2012-03-08 15:58:11 DACEs       1003913              0       1003913        1003913          
  0
  2012-03-08 15:58:11 SACEs            66              0            66            
  66           0
  2012-03-08 15:58:12 Wrote result file C:\WINDOWS\OnePointDomainAgent\000026_CWN-DC01.result
  2012-03-08 15:58:12 Operation completed.
  The error is looking for C:\Program Files\OnePointDomainAgent\Accounts000026.txt which does not exist on the Source Server (where the Agent is installed)
  Can anyone help please?

  Howdie!
  On 08.03.2012 17:32, Wrightyi28 wrote:
  > ADMT is installed on a Target DC and when I run the Security Translation
  > wizard it fails and the log shows the below...
  > [...]
  > The error is looking for C:\Program
  > Files\OnePointDomainAgent\Accounts000026.txt which does not exist on the
  > Source Server (where the Agent is installed)
  Is/was AGPM installed on the server you ran the security translation
  agent on?
  Florian
  The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. If anyone should be allowed to mark a response as an "answer", it should be the thread creator. No one else.

• Active Directory and Samba issues

  When I updated a few of the computers here at work to Leopard, I tried mounting some authenticated samba shares here at work, and they worked just fine. However, with other users, it denies their password, and then re-prompts for the password, despite said password being correct. It doesn't appear to be related to administrator permission on the domain, either, because it denies me when I change my permissions to only have access to specific machines, instead of 'all computers'
  If you need any further information, I would be happy to give it.

  Hi
  I confess I don't know if this is in any way helpful or relevant but I do know changes have been made in Leopard viz Samba since you can no longer setup a Windows Printer via Samba in the GUI as you have previously been able to do. You can do it in CUPS but this isn't for all types of users. Thus I don't know if this has any bearing on your problem but it may help to look for more general based samba support changes.
  cheers

• User login report in Active Directory for specific date and time

  I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
  Is any query, script or any tool available?
  Waiting for reply please

  You can identify the last logon date and time using my script here: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/98cbecb0-d23d-479d-aa65-07e3e214e2c7/manage-active-directory-users-logon-logoff-events
  I have started a Wiki about how to track logon / logoff and it can help too: http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Active directory issue

  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

  sir, i means that secondary domain server is down due to system motherboard issue.so guide to me that how remove all setting of the secondary domain from primary domain. (shankarpack.com).
  errors are :
  Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more
  domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
  Source domain controller: 
   AVS1 
  Failing DNS host name: 
   f0c8f1a9-50fd-4785-8ca4-29b1d824b251._msdcs.shankarpack.com 
  NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
  Registry Path: 
  HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
  User Action: 
   1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined
  in MSKB article 216498. 
   2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
   3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
    dcdiag /test:dns 
   4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
    dcdiag /test:dns 
   5) For further analysis of DNS error failures see KB 824449: 
     http://support.microsoft.com/?kbid=824449 
  Additional Data 
  Error value: 
   11004 The requested name is valid, but no data of the requested type was found. 
  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".
  This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are
  preventing validation of this role. 
  Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
  FSMO Role: DC=shankarpack,DC=com 
  User Action: 
  1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
  2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity,
  DNS name resolution, or security authentication that are preventing successful replication. 
  3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server.
  This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
  The following operations may be impacted: 
  Schema: You will no longer be able to modify the schema for this forest. 
  Domain Naming: You will no longer be able to add or remove domains from this forest. 
  PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
  RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
  Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

• PowerShell Active Directory: Get last logon date of a deleted user

  So, my first post in this noble community. I've been lurking here and I've been getting some good information. Hopefully, you guys can help me in this concern which may be simple to some but I couldn't seem to get around it.
  Is it possible to get the last logon date of a DELETED user in Active Directory?
  I can get the available properties of deleted users using the following:
  Get-ADObject -Filter {samaccountname -eq <account_name> -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties *
  But the last logon date is not one of the properties available from Get-ADObject. Get-ADUser has the last logon property, but it does not have data on deleted users. Is there anyway this can be achieved? Perhaps convert an ADObject to an ADUser?
  Any information would be much appreciated. Thank you.

  Thanks everyone for your response. It looks like jrv is leading me to the right path, but I'm still having issues. I'm trying to get the lastlogon time by querying all the DCs in our domain, but every query returns a null lastlogon time for all the deleted
  users I tried:
  $DomainControllers = ((Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ }).Name
  foreach ($DC in $DomainControllers)
      $dn=(Get-ADObject -Filter {samaccountname -eq <user_account>} -includedeletedobjects -server $DC).DistinguishedName
      $user=[adsi]"LDAP://$dn"
      $user.LastLogon
  It always returns null. Morever, simply executing [adsi]"LDAP://$dn" from each DC gives the following error:
  format-default : The following exception occurred while retrieving member
  "distinguishedName": "There is no such object on the server.
      + CategoryInfo          : NotSpecified: (:) [format-default], ExtendedType
     SystemException
      + FullyQualifiedErrorId : CatchFromBaseGetMember,Microsoft.PowerShell.Comm
     ands.FormatDefaultCommand
  It's a bit surprising to me though, since $user=[adsi]"LDAP://$dn" does return a value for $user (instead of null whenever an error is encountered) of type System.DirectoryServices.DirectoryEntry but it has no members.
  Anyone know what I'm missing?

• Download issue when Windows 7 Pro joins a Windows Server 2008 Active Directory

  Hi,
  I purchased 2 new Dell OptiPlex 3010 desktop computers that came with Windows 7 Professional operating system with SP1. 
  There were no Microsoft updates installed yet.  After I added one of these Dell computers to the Windows Server 2008 Active Directory, I was not able to download several items. 
  Below are several examples:
  1) I downloaded the Norton anti-virus installation file.  This file is not the full installation of Norton; it is more of a file where you execute it and it will download the full installation from the Internet like from their Norton web
  site.  So when I executed this installation file, it does not download the full installation files. 
  It just hung at the screen saying “Downloading” and it will finally stop with an error (don’t remember the error message).
  Note: If I have the full Norton installation file then I am able to install it on this computer with no problems.
  2) I downloaded the Adobe Reader installation file.  This file is not the full installation of Adobe Reader; it is more of a file where you execute it and it will download the full installation from the Internet like from their Adobe web
  site.  So when I executed this installation file, it hung at the downloading part and then it will error out with a “Actionlist Not Found” message.
  Note: If I have the full Adobe Reader installation file then I am able to install it on this computer with no problems.
  3) I installed Microsoft Office 2010 Standard version on this computer. 
  I configured Microsoft Outlook to retrieve emails from my email provider (pop and smtp settings). 
  After configuring Microsoft Outlook, I was able to send emails through Microsoft Outlook successfully (and very quickly), but he was unable to retrieve my emails. The progress bar for the Receiving in the "Outlook Send/Receive Progress" box
  shows no progress. The Progress bar is not moving. There is a message at the bottom of Microsoft Outlook stating "Receiving message 1 of 6 (x.xx KB of x.xx MB)" and it is very slow. My new emails were not being retrieved at all. 
  I tried various pop and smtp servers that was available for my email provider, but all had the same effect.
  4) I can access certain web sites (e.g.
  www.yahoo.com, www.cnn.com) while I cannot access other web sites like
  www.usatoday.com, my web hosting email site.
  Note: I had a Dell computer with Windows XP Professional operating system and this computer does not have any of the above issues.
  The above are only a few examples that I have experienced. 
  If I removed this Dell OptiPlex 3010 computer from the Windows Server 2008 Active Directory then I still experience the same issue.
  So as another test, I setup the other new Dell OptiPlex 3010 with the same Windows 7 Professional OS with SP1. 
  This time, I did not join the Windows Server 2008 Active Directory and I was able to successfully download the full Norton installation files, download the full Adobe Reader installation files, download my emails from Microsoft Outlook 2010, etc. 
  But once I joined this computer to the Windows Server 2008 Active Directory then I am not able to download these files and emails at all.
  It seems like there might be some group policy or a security setting that is preventing these downloads so I disabled the group policy on the Windows Server 2008 AD and Windows 7 Profession OS, but it didn’t resolve the issue.
   I disabled all of the firewall programs on this Windows 7 Professional OS, but it still did not resolve the issue.
  Since the Windows Server 2008 AD did not have DHCP installed, I installed DHCP and setup a scope. 
  Then configured the Windows 7 Professional OS to obtain an IP address, but it didn’t resolve the issue.
  If I move this Windows 7 Professional computer to another network where it did not have any Active Directory; it just had a wireless router serving DHCP then everything works on the Windows 7 Pro computer.
  Any ideas what is the root cause when a Windows 7 Professional computer join a Windows Server 2008 AD?
  Thanks,
  wl_tech

  Hi,
  Could you please tell some information for the AD environment and how it connect to the internet?
  Regarding 3rd party installlers didn't work as expected, please also seek help in their offical website.
  For outlook not receiving emails, could you please take a look in
  Event Viewer and see if there are any special errors logged there?
  And when trying to access the website like
  www.usatoday.com, any special errors IE showed out?
  Best regards
  Michael Shao
  TechNet Community Support

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• Certificate issues Active Directory Certificate Services could not process request 3699 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

  Hi,
  We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
  check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=xxxxx.ourdomain.com.  Additional information: Error Verifying Request Signature or Signing Certificate
  A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
  configuration.
  Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
  Thank you for your help
  //Cris

  hello,
  let me recap first:
  you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
  do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
  issued and which are still valid, right?
  The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
  do not contain CRL paths at all.
  So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
  As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
  As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
  Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
  But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
  So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
  The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
  Just a clean self-signed REQUEST.
  That will succeed.
  You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
  ondrej.

• Active Directory Issues 10.7.4 & 10.7.5

  Hi
  I'm having problems with all my 10.7.4 & 10.7.5 mac's. They're losing their connection to AD. When I got to unbind I get the follwing error:
  Unable to access domain controller
  This computer is unable to access the domain controller for an unknown reason. Warning: If you click force unbind you will leave an unused computer account in the directory.
  I then get an option to ok or force unbind. If I force unbind if I force unbind I get the following error:
  An unknown error occurred
  An unknown error occurred
  Helpful, I'm sure you'll agree! If I go in to Console I can see the following to errors:
  02/10/2012 16:01:25.682 Directory Utility: An instance 0x7f8f02b30f30 of class ODCUnbindFromADAction was deallocated while key value observers were still registered with it. Observation info was leaked, and may even become mistakenly attached to some other object. Set a breakpoint on NSKVODeallocateBreak to stop here in the debugger. Here's the current observation info:
  <NSKeyValueObservationInfo 0x7f8f02b56970> (
  <NSKeyValueObservance 0x7f8f02b568c0: Observer: 0x7f8f01cea980, Key path: progressStatus, Options: <New: NO, Old: NO, Prior: NO> Context: 0x0, Property: 0x7f8f02b569a0>
  and...
  02/10/2012 16:03:32.463 Directory Utility: -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007 "The operation couldn’t be completed. (OSStatus error -60007.)" (The authorization was denied since no user interaction was possible. )
  When users are curently logged in they lose access to SSH sessions, and network drives etc... they have had issues with saving work and subsiqently losing it!
  When I go in to opendirectyd.log I see the following:
  2012-10-02 15:37:42.208 BST - opendirectoryd (build 172.17) launched...
  2012-10-02 15:37:42.265 BST - Logging level limit changed to 'error'
  2012-10-02 15:37:42.902 BST - Initialize trigger support
  2012-10-02 15:37:42.904 BST - Registered node with name '/Active Directory' as hidden
  2012-10-02 15:37:42.904 BST - Registered node with name '/Configure' as hidden
  2012-10-02 15:37:42.905 BST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
  2012-10-02 15:37:42.905 BST - Registered node with name '/Contacts'
  2012-10-02 15:37:42.906 BST - Registered node with name '/LDAPv3' as hidden
  2012-10-02 15:37:42.939 BST - Registered node with name '/Local' as hidden
  2012-10-02 15:37:42.964 BST - Registered node with name '/NIS' as hidden
  2012-10-02 15:37:42.965 BST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
  2012-10-02 15:37:42.965 BST - Registered node with name '/Search'
  2012-10-02 15:37:43.024 BST - Discovered configuration for node name '/Active Directory/NUCA-AD' at path '/Library/Preferences/OpenDirectory/Configurations/Active Directory/NUCA-AD.plist'
  2012-10-02 15:37:43.024 BST - Registered subnode with name '/Active Directory/NUCA-AD'
  2012-10-02 15:37:43.024 BST - Registered placeholder subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:43.040 BST - Discovered configuration for node name '/LDAPv3/nuca-mon1.nuca.ac.uk' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/nuca-mon1.nuca.ac.uk. plist'
  2012-10-02 15:37:43.040 BST - Registered subnode with name '/LDAPv3/nuca-mon1.nuca.ac.uk'
  2012-10-02 15:37:43.108 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
  2012-10-02 15:37:43.307 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
  2012-10-02 15:37:44.311 BST - '/Search' has registered, loading additional services
  2012-10-02 15:37:44.311 BST - Initialize augmentation support
  2012-10-02 15:37:44.352 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
  2012-10-02 15:37:44.423 BST - Successfully registered for Kernel identity service requests
  2012-10-02 15:37:44.482 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
  2012-10-02 15:37:44.566 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
  2012-10-02 15:37:45.461 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
  2012-10-02 15:37:45.463 BST - Registered subnode with name '/Local/Default'
  2012-10-02 15:37:45.556 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2012-10-02 15:37:45.600 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'
  2012-10-02 15:37:45.645 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle'
  2012-10-02 15:37:45.654 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/Kerberosv5.bundle'
  2012-10-02 15:37:45.858 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/NetLogon.bundle'
  2012-10-02 15:37:45.858 BST - Registered subnode with name '/Active Directory/NUCA-AD/nuca.ac.uk' as hidden
  2012-10-02 15:37:45.859 BST - Unregistered placeholder node with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.860 BST - Registered subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.861 BST - Registered subnode with name '/Active Directory/NUCA-AD/Global Catalog' as hidden
  2012-10-02 15:37:57.468 BST - failed to retrieve password for credential
  2012-10-02 15:37:59.051 BST - failed to retrieve password for credential
  2012-10-02 15:38:04.052 BST - failed to retrieve password for credential
  2012-10-02 15:38:14.054 BST - failed to retrieve password for credential
  2012-10-02 15:38:29.056 BST - failed to retrieve password for credential
  2012-10-02 15:38:49.076 BST - failed to retrieve password for credential
  2012-10-02 15:39:11.505 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'
  2012-10-02 15:39:11.900 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'
  Interestingly enough, the problem doesn't seem to effect users runing 10.6.8 or my iMac which is running 10.8.2. I've spoken to network manager and he can't see anything strange going on, on the network.
  I've also spoekn to our AD guy and nothing has changed.
  This is now the second time it's happend, I've managed to get everyone working (before it happened again) by deleting the AD plist in /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/ then rebinding via a scipt pushed out via ARD
  If anyone can offer any assitance I'd be most gratful as I'm about to be shot by our users! as it's the start of our new academic year!
  Thanks!
  Paul

  It's been a few weeks now, and (touch wood) it's not happended again on mass. We have had a few individual ones, but nothing major.
  We still don't quite know exactly what happened, but trouble shooting found the following:
  Our time server wasn't working corrctly centrifys ADCheck tool showed it as having a firewall (even though it didn't) our AD guy fixed that problem (sorry not sure exactly what he did)
  We checked the AD kerberos ticket from a machine that lost it's connection to AD, on another mac that worked and found that it couldn't connect as the password was wrong. It seems that by default Active Directory ticket wants to change it's password every 14, and when trying to it's failing so I set it to 0
  We had tried to set the server the AD plugin see's to a specific DC but this wasnt happening due to subnets not being configured in AD sites and Services
  Some of the Mac's did not like being set to GMT in the time zone and the time was an hour out, people where able to login though! So I've now set them to Eurpoe\London and they're now picking up the correct time and even picked up the daylight savings over the weekend.
  Our DNS is still not great but we are in the process of sorting out our subnets and when we do the consolodation we'll also asign reservations for all the mac's in the hope that apeases DDNS
  Thanks Paul

• Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

  Hello everyone,
  I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
  subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
  According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
  ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
   HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
  to a value of 1. 
  As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
  I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
  and Services)
  I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
  Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
  cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
  I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
  I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
  the old DCs.
  Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
  Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
  Thanks in advance,
  Adam

  Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
  So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
  For clarity purpose, let's say I used the domain :
  domain = main domain
  subdomain = the domain whose DC are problematic (all of them).
  AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
  Command (the DSA guid is from a DC "clean" in another domain)
  repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
  I got the following message in the event viewer :
  Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
  Source domain controller:
  c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
  Number of objects examined and verified:
  0
  Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
  advisory mode option.
  How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
  Thanks in advance,
  Adam