Fix: Active directory corrupted (NTDS ISAM Database Corruption errors in eventlog)

Similar Messages

• Can't fix Active Directory replication

  Hi,
  I am not sure when the replication issue started, but it is for month now. Whe have two AD's and so actually, we have one working fine (probably). Users are replicated fine (at least they show in the second AD tree) and also, the group policies replicates
  (they show in the group policy tree).
  But, in the \\dc02\SYSVOL\domainname.com\Policies directory, nothing is shared. It's completely out of date. Also the group policy manager gives an warning: 1 Domain controller(s) with replication in progress.
  Anyway, me, and other members of the IT-staff looked into it but it looks that the problem goes deep.
  So my question is, what is the best way to solve this. Start to place some errors here or maybe we should completely re-install the second DC? Or both? Or is that a bad idea?
  Thanks for any help!

  Thanks for the responses!
  Problem is, Event viewer keeps giving different errors. I just restarted my secondary DC and it gives this error:
  This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
  Before restart, I ran dcdiag again and it gave problems with NCSecDesc. So permission problem. I fixed that and after that I ran dcdiag again and no errors were showing. But sysvol directory was still not in sync.
  After that, I restarted and the top error is shown in event viewer and dcdiag gives me another, new error:
  Starting test: SystemLog
  A warning event occurred. EventID: 0x000727A5
  Time Generated: 04/16/2014 18:02:36
  Event String: The WinRM service is not listening for WS-Management requests.
  A warning event occurred. EventID: 0x80040020
  Time Generated: 04/16/2014 18:03:13
  Event String:
  The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
  ccur.
  A warning event occurred. EventID: 0x80040020
  Time Generated: 04/16/2014 18:03:13
  Event String:
  The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
  ccur.
  A warning event occurred. EventID: 0x80040020
  Time Generated: 04/16/2014 18:03:13
  Event String:
  The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
  ccur.
  An error event occurred. EventID: 0xC0001B61
  Time Generated: 04/16/2014 18:03:40
  Event String:
  A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
  An error event occurred. EventID: 0xC0001B6F
  Time Generated: 04/16/2014 18:03:41
  Event String: The Diagnostic System Host service terminated with the following error:
  An error event occurred. EventID: 0xC0001B6F
  Time Generated: 04/16/2014 18:03:41
  Event String: The Diagnostic Service Host service terminated with the following error:
  ......................... DC02 failed test SystemLog
  After restarting the secondary DC, the primary DC gives an error on DFSREvent but I think that's OK because it lost the secondary DC for a minute. No further errors there.
  After restarting the primary DC, it gives also a SystemLog error, but different from the other DC with dcdiag:
  Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
  , but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
  hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
  n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
  s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
  omputer, you may choose to disable the NtpClient.
  A warning event occurred. EventID: 0x00000090
  Time Generated: 04/16/2014 18:31:25
  Event String: The time service has stopped advertising as a good time source.
  ......................... DC01 failed test SystemLog
  Now this is the current status. I am pretty desperate. Maybe you have some suggestions? Otherwise, I will try pbbergs' suggestion.
  Other errors in the event viewer (not sure if they are related but just posting to be sure):
  This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
  Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
  Certificate name: dc01.domainname.com
  The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
  Thanks for the help!

• Active Directory data replication to database

  Hi Guys
  Does anybody known how to replicate data from Active Directory (groups and users) direct to database table like Oracle?
  My research drive me to code a program that make persistent search on Active Directory monitoring object changes to make insert or update in my table.
  Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 1)
  http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
  Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 2)
  http://forum.java.sun.com/thread.jspa?forumID=51&threadID=672007
  Is it a good idea ?
  Thanks
  MHM

  As I said previously, it depends on how frequently you need to synchronise the database; weekly, daily, hourly, realtime.
  LDIFDE, CSVDE can be used to export LDIF or CSV files respectively, which you could then import into a database. That would be a good pragmatic solution for something that needs to be done daily or weekly.
  The DIRSYNC control is good for any schedule synchronisation, whereas the LDAP Notification Control is better suited to real time applications.
  I am rather flattered that the post you referred to http://www.forumeasy.com/forums/thread.jsp?tid=117381285598&fid=ldapprof2&highlight=LDAP+Persistent+Search+Control+JNDI+Client
  is based on my original sample titled "JNDI, Active Directory and Persistent Searches (part 2)" which I posted at
  http://forum.java.sun.com/thread.jspa?threadID=672007&tstart=90
  BTW, the sample for using the dirscnc control which is titled "JNDI, Active Directory & Persistent Searches (part 1)" is available at
  http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
  Another alternative would be to install another server with Active Directory Application Mode (ADAM) specifically for your "expensive" queries and use a tool such as ADAMSync to populate it from your other Active Directory domain controllers.
  ADAMSync is included with ADAM and you can find the command line options described at http://technet2.microsoft.com/windowsserver/en/library/c64799ab-88c0-4e5a-b296-bc26031141291033.mspx?mfr=true
  Personally, I would much prefer to use something like LDIFDE, CSVDE, ADAMSync or a full fledged synchrisation/provision product such as Identity Lifecycle Manager rather than write (and debug/maintain) my own code.

• Active Directory Sites + Boundary Groups + Database not showing correctly?

  I am having a hard time trying to track down my issue but after digging for a bit, I think I have figured it out but I am unsure how to fix it.
  Quick backstory, we had a domain controller go bad in this ADsite, the domain controller was also a DP at the time aswell and to fix our issues we dcpromo /forceremove it and cleaned up AD after. Created a new domain controller in
  the ADsite, replicated everything across, everything is going as it should. SCCM on the other hand thinks I did something very wrong.
  I'm not sure even how to explain but here goes. SCCM Console shows that the newly created distribution point that is running in the site where I ripped out the old domain controller and it is running well, the boundary is there, the DP is
  tied to the boundary is it looks great. (
  https://onedrive.live.com/redir?resid=B5BA8EC0E0DB675!4966&authkey=!ACD-aPFR5oE6TtI&v=3&ithint=photo%2cpng )
  On the other hand, SCCM Database is not connecting the DP to the boundary. I am clueless on why this is happening. Because of this, it seems like no end users are getting any software. LocationServices on client machines show the computers are in the
  proper site but SCCM does not seem to think the new DP is part of the site.  (
  https://onedrive.live.com/redir?resid=B5BA8EC0E0DB675!4967&authkey=!AEhKiU6eRr6kph0&v=3&ithint=photo%2cpng )
  The other 9 DPs have no issues, they are part of their respected sites, clients are getting all the software from the proper DPs and no issues.
  I would gladly share some log files if they are of any value to anyone. I have looked through ads*.log and have not found anything that would tell me it has issues querying the ADsite.
  Any help would be greatly appreciated!

  Removal of the DC should be unrelated as they is no direct communication. Deleting the boundary/group and re-add them.
  Torsten Meringer | http://www.mssccmfaq.de

• Does one of the Lync SQL databases store the active directory username or SID of the person who made a call ?

  I am trying to write a report that uses data from Lync (2010), Active directory (AD) and other databases.
  I need to match data from Lync with records in active directory.
  When you make/recieve a call, the session details has a userid column - a foreign key to the users table, which has the UserURI - the users emails adddress or telephone number.
  However, trying to mach the data, I have noticed that someones email address can change so that what is in active directory does not match that used as the SIPaddress in Lync.
  I need a field that matches in Active directory and Lync to be able to link a users call records with their active directroy records.
  I was wondering how Lync decides which Lync user you are when it auto logins you in.
  Does it do it on the basis of your phone number, AD username or something else ?
  If so , where in Lync does it store the mapping from whatever it uses to your Lync userid ?
  Greg

  The msrtcsip-primaryuseraddress attribute in AD is where the users SIP address is stored.
  This can change still, but generally that should not be very often except maybe a name change or domain name change.
  Almost everything in Lync is based on the SIP address. In CDR's case, it is just recording SIP messages as they pass through the front end; it has no visibility into the actual AD account that sent it.
  If you will need to match user SIP addresses back to live AD accounts, even after a SIP address change, then I would recommend setting up a custom AD attribute to store their SIP account history and have a policy to update that attribute each time someone's
  SIP address gets changed.

• View Password hash in Active Directory

  Hi all
  I am the administrator and i want to view the password hashes of the users  in Active Directory. Please tell me how i can view the password hashes of the users. Where are the password hashes of the users  stored in Active Directory.

  Hi,
  Before going further, let’s clarify how Windows store password.
  Instead of storing the user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database (C:\Windows\System32\config\SAM file) or in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs).
  You can force Windows to use NT Hash password. For detailed information, please refer to the following article.
  How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
  http://support.microsoft.com/kb/299656
  After you configure Password History, Active Directory service will check the password hash stored in AD database to determine if user meet the requirement. Administrator doesn’t need to view or use password hash.
  Regarding the security of password, the following article may be helpful.
  Should you worry about password cracking?
  http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx
  Hope this information can be helpful.
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Cannot Print. "The Active Directory Domain Services is currently unavailable"

  Hi there
  I cannot print and I have not been able to find the fix via existing forum threads.
  System: 
  Win 7 Ultimate 64 bit German - Profile language is Danish (installed a week ago and completely windows updated)
  Office 365 Small Business Premium
  HP DV8 Laptop. i7, 512GB SSD, 8GB RAM
  HP LaserJet P1006 USB printer.
  Problem
  No matter if I try to print from IE, Notebook, Word 2013 or anything else, I cannot chose my printer (P1006).
  If I try to Add Printer in Word 2013, I get the "The Active Directory Domain Services is currently unavailable" error. 
  In Devices and Printers, the P1006 is visible, but there is no driver installed.
  Trying to install the correct driver: 
  http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=3435683&prodTypeId=18972&prodSeriesId=3435682&swLang=8&taskId=135&swEnvOID=4063
  only creates a general error during installation: "Printer  Software Installer has stopped working - A problem has caused the program to stop working correctly. Windows closes the program and will notify you if a solution has been found"
  I have tried all the solution software from Windows, from HP (for the laptop and for the printer) - but nothing comes up with any details or suggestions. 
  What should I try?
  Absolutely everything else works perfectly on the system. 
  Reffered here via http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/cannot-print-the-active-directory-domain-services/1cf47626-a2cd-4b7a-94b6-10cbc8ab02b0

  Hi,
  I suggest you try the following:
  1. Try the steps in the following article:
  Troubleshoot printer problems
  http://windows.microsoft.com/en-US/windows-vista/Troubleshoot-printer-problems
  Fix printing problems by resetting the print spooler
  http://support.microsoft.com/kb/2000007
  2. Let us try updating the printer driver which might help you in resolving the issue.
  Click on the link below for more information on updating the printer drivers.
  Find and install printer drivers
  http://windows.microsoft.com/en-US/windows-vista/Find-and-install-printer-drivers
  3. Remove the printer and add it again:
    Go to Control Panel
    Select Printers
    Right-click on Add Printer
    Select Run as Administrator
  Now try to add your network printer
  Also a thread for your reference:
  Error message when attempting to print: Active Directory Domain Service is Currently Unavailable 
  http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/d6212275-24d6-4168-830a-9441f861cb76
  Hope this helps.
  Vincent Wang
  TechNet Community Support

• Microsoft Exchange Server 2013 Cumulative Update 7 Setup - Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error - Set-SharedConfigDC

  What am I trying to do?
  I have tried installing Microsoft Exchange Server 2013 Cumulative Update 7 Setup on a fresh install of Windows Server 2012 R2 but it gets stuck when running the setup exe on Step 8 of 14 “Mailbox Transport Service” I have included full
  error logs at the bottom of the page but the basics are in order it will throw which loop around are:
  [01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  Exchange is currently running in the envirmonet on 2010 Sp3 I am installing 2013 CU7 fresh so I can migrate the databases over.
  What am I running?
  2 X DC on domain and forest functional level 2008R2 both writable
  1 X fresh install of Windows 2012 R2 which is domain joined
  What have I tried?
  Checked Ipv6 is enabled on all DC NICS and Existing Exchange Servers
  Rebooted every server
  Run setup as Administrator
  My account is part of the domain Enterprise Admin group
  Tried adding "Exchange Server" or "Exchange Enterprise Servers" to the group policy and doing the relevant gpupdate /force and reboot :
  Computer Configuration Windows Settings
  Security Settings + Local Policies
  User Rights Assignment Mange auditing and security log
  Turned off firewall on DC and Exchange Server even stopped the service
  Turned off all AV on the DC and Exchange Server
  Checked I could telnet to global catalog servers on port 3268 which I can
  Checked the global catalog records existed in DNS which they all do
  Done the obvious ping tests all round which confirms connectivity
  Schema has been prepared using appropriate commands before running the setup exe
  setup.exe /PrepareSchema /IacceptExchangeServerLicenseTerms
  Making sure the following path has full permissions:
  EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
  Restarted Microsoft Exchange Active Directory Topology service
  DcDiag all looks good
  What have I noticed that is suspicious?
  Microsoft Exchange Transport service will not start even though both of its dependences services have started:
  Microsoft Filtering Management Service
  Microsoft Exchange Active Directory Topology Service
  It will eventually error with
  “Windows could not start the Microsoft Exchange Transport Service on local computer
  Error 1053: This Service did not respond to the start of control request in a timely fashion”
  This error is from the GUI wizard itself:
  Error:
  The following error was generated when "$error.Clear();
  $maxWait = New-TimeSpan -Minutes 8
  $timeout = Get-Date;
  $timeout = $timeout.Add($maxWait);
  $currTime = Get-Date;
  $successfullySetConfigDC = $false;
  while($currTime -le $timeout)
  $setSharedCDCErrors = @();
  try
  Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
  $successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
  if($successfullySetConfigDC)
  break;
  Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
  catch
  Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
  Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
  Start-Sleep -Seconds 30;
  $currTime = Get-Date;
  if( -not $successfullySetConfigDC)
  Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
  " was run: "System.Exception: Unable to set shared config DC.
  at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
  at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
  at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
  at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
  at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
  Exchange logs which have been written:
  **The error will loop around for 8 minutes on trying to set-sharedconfig DC whatever this is trying to do ??
  [01/20/2015 17:13:20.0084] [2] Active Directory session settings for 'Set-SharedConfigDC' are: View Entire Forest: 'True', Configuration Domain Controller:mydomain.com', Preferred Global Catalog: 'mydomain.com', Preferred Domain Controllers:
  '{ mydomain.com}'
  [01/20/2015 17:13:20.0084] [2] User specified parameters: 
  -DomainController:mydomain.com' -ErrorVariable:'setSharedCDCErrors' -ErrorAction:'SilentlyContinue'
  [01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  [01/20/2015 17:13:20.0178] [2] Ending processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] An error ocurred while setting shared config DC. Error: The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details
  No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] Waiting 30 seconds before attempting again.
  [01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0195] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0288] [1] The following 1 error(s) occurred during task execution:
  [01/20/2015 17:13:50.0288] [1] 0.  ErrorRecord: Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [1] 0.  ErrorRecord: System.Exception: Unable to set shared config DC.
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
     at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
     at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
     at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
  [01/20/2015 17:13:50.0288] [1] [ERROR] The following error was generated when "$error.Clear();
  $maxWait = New-TimeSpan -Minutes 8
  $timeout = Get-Date;
  $timeout = $timeout.Add($maxWait);
  $currTime = Get-Date;
  $successfullySetConfigDC = $false;
  while($currTime -le $timeout)
  $setSharedCDCErrors = @();
  try
  Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
  $successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
  if($successfullySetConfigDC)
  break;
  Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
  catch
  Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
  Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
  Start-Sleep -Seconds 30;
  $currTime = Get-Date;
  if( -not $successfullySetConfigDC)
  Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
          " was run: "System.Exception: Unable to set shared config DC.
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
     at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
     at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
     at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
  [01/20/2015 17:13:50.0288] [1] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [1] [ERROR-REFERENCE] Id=AllADRolesCommonServiceControl___ee47ab1c06fb47919398e2e95ed99c6c Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
  [01/20/2015 17:13:50.0288] [1] Setup is stopping now because of one or more critical errors.
  [01/20/2015 17:13:50.0288] [1] Finished executing component tasks.
  [01/20/2015 17:13:50.0304] [1] Ending processing Install-BridgeheadRole
  Windows Event Viewer:
  Process Microsoft.Exchange.Directory.TopologyService.exe (PID=5276) Forest mydomain.com. Exchange Active Directory Provider couldn't find minimal required number of suitable Global Catalog servers
  in either the local site 'Default-First-Site' or the following sites:

  Hi apl228,
  1. Please make sure the IPv6 is enabled.
  2. Please make sure the account that install Exchange server has Administrator permission.
  3. Please make sure DNS has been configured correctly.
  Thanks
  Mavis Huang
  TechNet Community Support

• ACS Local databse authentication as a failover to Active Directory

  Hi all
  Router- 10.10.10.1
  ACS-10.10.10.2
  AD-10.10.10.3
  in AD - created  a group called "telnet users" - added user with name of - john
  I have added cisco router as clients in Cisco ACS 5.1 and integrated with Active directory. when i telnet to 10.10.10.1 , i can logon with Active directory account
  but i want a faiover to active directory with ACS local database
  Can you let me know how to configure?
  In ACS - i have created a user with name of - Test1 and  Identity group : all groups.
  Can any one help please.

  Hi,
  You need to create an Identity Store Sequence and then select that Identity Store under the Identity section of the Access Service.
  1.
  2.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Active directory mobile accounts

  Hi,
  Just did a clean install of Lion, joined it to my active directory (Windows SBS 2003). No issues with this part...
  But when I log in as a domain user, I get:
  the home folder for user is not located in the usual place or cannot be accessed
  Strangely enough, if I turn off mobile account creation, it works, and /Users/domainuser is created. If I then turn back on mobile account creation I get the error again.
  Anybody else experience this? Any pointers on how to troubleshoot?

  WORKAROUND for "Error: The home folder for user "ActiveDirectoryUser" isn't located in the usual place or can't be accessed. The home or Users folder may have been moved or deleted. If the home...."
  I was able to "Fix" the Mobile Account issue above in Lion -for now. (Valid as of 8/18/11 on Lion 10.7.1)
  - In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked
  - Log out then back in as a networked user,  -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)
  - Open Terminal
  --- Type: cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
  --- Type: ./createmobileaccount -n username
  The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account.
  This fixes Active Directory mobile accounts for the time being so now its on to Open Directory which refuses to stay bound after a reboot.

• Laptop (Running Windows 8.1) no longer able to print and now see message Active Directory Domain Services is not available

  Have a very recent Lenovo Ideapad Laptop running Windows 8.1. Connected via USB port to HP LaserJet Pro CM1415 frw Color MFP Printer. Was able to print fine nearly 2 weeks ago, but something recently happened - either a new windows or office 2013 update
  or perhaps I blew away a certain file by mistake. I can see the printer installed but cannot print to it from anything (Word, Notepad, IE, Firefox etc.). The one thing to note is that usually when I plug or unplug a USB related device, Windows 8.1 recognizes
  this and makes a certain chime noise, but with the printer USB cable it never makes that noise - making me think that it never fully recognizes the printer. Also when I select the printer (from within the control panel) and right click for properties (via
  admin rights) It never lets me fully connect to it.
  I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services,  etc. Its really annoying because this printer was working fine nearly 2
  weeks ago. Looking for any advice now. Thanks.
  -Chris

  Hi Chris,
  à
  I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc.
  I noticed that you had reinstalled the printer. Just a confirmation, when un-install this printer, please check
  if this printer still exist in registry. For more details, please refer to following KB.
  Registry entries for printing
  If printer entry still exist in registry, please delete that printer entry and re-install this printer again,
  then check if this issue still exists. (Please backup registry entries before operating registry. It will help us to avoid unexpected issue.)
  àand now see
  message Active Directory Domain Services is not available
  By the way, would you please let me know where/when get this
  Active Directory Domain Services is not available error message? Or provide a screenshot of it?
  (Please hide all protected or private information) Please check if all services are running correctly on the computer. Meanwhile, please refer to following article and check if can help you.
  Printer
  Problem: Active Directory Domain Services is currently unavailable – Why does windows say no printers are installed?
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• I am getting a Changing Password Failed error when I try to join an active directory

  I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
  However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
  2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
  2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
  2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
  2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
  2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
  2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
  2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
  2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
  2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
  2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

  Reggierror,
  Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.

• SMB access for Active Directory users

  Hi there,
  My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
  When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
  My smb.conf file is as follows:
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  Any help would be much appreciated!!
  Thanks.

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• ACS 5.1 with Windows Active Directory

  Hi All,
  I installed ACS 5.1 in vmware server successfully. I have problem while intergrating cisco acs with microsoft Windows 2008 active directory. I already verfied all the related parameters like Domain name, user rights to join in AD, DNS name resolve and IP-Address.
  But, I can able to add any system into my domain without any issues and this is not happening in Cisco ACS 5.1 version.While testing the Active Directory - Test connection it prompts with error message " Can not resolve network address".
  Please help me from this issue.
  Regards
  Mani

  Hi
  Have you setup the correct DNS servers and domain name in the ACS and also do you have an entry in the DNS for the ACS server?
  Dave

• What is the default Win2000 Active Directory Object Attribute definition for adding users? I'm using the 4.1 Netscape Directory SDK

  The Netscape/NDS AddUser implements inetOrgPerson, and some other objects/Attributes not implemented in Active Directory Object Attributes, and I receive errors about the Attributes. Could you tell me the correct Attribute definition for the default DS, to add a user?

  Unsure what you mean. iDS 5 implements the inetOrgPerson as of the RFC. It is made of 4 objects top, person, organizationPerson and inetOrgPerson. The user object in MAD using many more MS specifi attributes in the top class. (53 extras)