IPhone/Active Directory Issue

Similar Messages

• Active Directory Issues 10.7.4 & 10.7.5

  Hi
  I'm having problems with all my 10.7.4 & 10.7.5 mac's. They're losing their connection to AD. When I got to unbind I get the follwing error:
  Unable to access domain controller
  This computer is unable to access the domain controller for an unknown reason. Warning: If you click force unbind you will leave an unused computer account in the directory.
  I then get an option to ok or force unbind. If I force unbind if I force unbind I get the following error:
  An unknown error occurred
  An unknown error occurred
  Helpful, I'm sure you'll agree! If I go in to Console I can see the following to errors:
  02/10/2012 16:01:25.682 Directory Utility: An instance 0x7f8f02b30f30 of class ODCUnbindFromADAction was deallocated while key value observers were still registered with it. Observation info was leaked, and may even become mistakenly attached to some other object. Set a breakpoint on NSKVODeallocateBreak to stop here in the debugger. Here's the current observation info:
  <NSKeyValueObservationInfo 0x7f8f02b56970> (
  <NSKeyValueObservance 0x7f8f02b568c0: Observer: 0x7f8f01cea980, Key path: progressStatus, Options: <New: NO, Old: NO, Prior: NO> Context: 0x0, Property: 0x7f8f02b569a0>
  and...
  02/10/2012 16:03:32.463 Directory Utility: -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007 "The operation couldn’t be completed. (OSStatus error -60007.)" (The authorization was denied since no user interaction was possible. )
  When users are curently logged in they lose access to SSH sessions, and network drives etc... they have had issues with saving work and subsiqently losing it!
  When I go in to opendirectyd.log I see the following:
  2012-10-02 15:37:42.208 BST - opendirectoryd (build 172.17) launched...
  2012-10-02 15:37:42.265 BST - Logging level limit changed to 'error'
  2012-10-02 15:37:42.902 BST - Initialize trigger support
  2012-10-02 15:37:42.904 BST - Registered node with name '/Active Directory' as hidden
  2012-10-02 15:37:42.904 BST - Registered node with name '/Configure' as hidden
  2012-10-02 15:37:42.905 BST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
  2012-10-02 15:37:42.905 BST - Registered node with name '/Contacts'
  2012-10-02 15:37:42.906 BST - Registered node with name '/LDAPv3' as hidden
  2012-10-02 15:37:42.939 BST - Registered node with name '/Local' as hidden
  2012-10-02 15:37:42.964 BST - Registered node with name '/NIS' as hidden
  2012-10-02 15:37:42.965 BST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
  2012-10-02 15:37:42.965 BST - Registered node with name '/Search'
  2012-10-02 15:37:43.024 BST - Discovered configuration for node name '/Active Directory/NUCA-AD' at path '/Library/Preferences/OpenDirectory/Configurations/Active Directory/NUCA-AD.plist'
  2012-10-02 15:37:43.024 BST - Registered subnode with name '/Active Directory/NUCA-AD'
  2012-10-02 15:37:43.024 BST - Registered placeholder subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:43.040 BST - Discovered configuration for node name '/LDAPv3/nuca-mon1.nuca.ac.uk' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/nuca-mon1.nuca.ac.uk. plist'
  2012-10-02 15:37:43.040 BST - Registered subnode with name '/LDAPv3/nuca-mon1.nuca.ac.uk'
  2012-10-02 15:37:43.108 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
  2012-10-02 15:37:43.307 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
  2012-10-02 15:37:44.311 BST - '/Search' has registered, loading additional services
  2012-10-02 15:37:44.311 BST - Initialize augmentation support
  2012-10-02 15:37:44.352 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
  2012-10-02 15:37:44.423 BST - Successfully registered for Kernel identity service requests
  2012-10-02 15:37:44.482 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
  2012-10-02 15:37:44.566 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
  2012-10-02 15:37:45.461 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
  2012-10-02 15:37:45.463 BST - Registered subnode with name '/Local/Default'
  2012-10-02 15:37:45.556 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2012-10-02 15:37:45.600 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'
  2012-10-02 15:37:45.645 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle'
  2012-10-02 15:37:45.654 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/Kerberosv5.bundle'
  2012-10-02 15:37:45.858 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/NetLogon.bundle'
  2012-10-02 15:37:45.858 BST - Registered subnode with name '/Active Directory/NUCA-AD/nuca.ac.uk' as hidden
  2012-10-02 15:37:45.859 BST - Unregistered placeholder node with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.860 BST - Registered subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.861 BST - Registered subnode with name '/Active Directory/NUCA-AD/Global Catalog' as hidden
  2012-10-02 15:37:57.468 BST - failed to retrieve password for credential
  2012-10-02 15:37:59.051 BST - failed to retrieve password for credential
  2012-10-02 15:38:04.052 BST - failed to retrieve password for credential
  2012-10-02 15:38:14.054 BST - failed to retrieve password for credential
  2012-10-02 15:38:29.056 BST - failed to retrieve password for credential
  2012-10-02 15:38:49.076 BST - failed to retrieve password for credential
  2012-10-02 15:39:11.505 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'
  2012-10-02 15:39:11.900 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'
  Interestingly enough, the problem doesn't seem to effect users runing 10.6.8 or my iMac which is running 10.8.2. I've spoken to network manager and he can't see anything strange going on, on the network.
  I've also spoekn to our AD guy and nothing has changed.
  This is now the second time it's happend, I've managed to get everyone working (before it happened again) by deleting the AD plist in /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/ then rebinding via a scipt pushed out via ARD
  If anyone can offer any assitance I'd be most gratful as I'm about to be shot by our users! as it's the start of our new academic year!
  Thanks!
  Paul

  It's been a few weeks now, and (touch wood) it's not happended again on mass. We have had a few individual ones, but nothing major.
  We still don't quite know exactly what happened, but trouble shooting found the following:
  Our time server wasn't working corrctly centrifys ADCheck tool showed it as having a firewall (even though it didn't) our AD guy fixed that problem (sorry not sure exactly what he did)
  We checked the AD kerberos ticket from a machine that lost it's connection to AD, on another mac that worked and found that it couldn't connect as the password was wrong. It seems that by default Active Directory ticket wants to change it's password every 14, and when trying to it's failing so I set it to 0
  We had tried to set the server the AD plugin see's to a specific DC but this wasnt happening due to subnets not being configured in AD sites and Services
  Some of the Mac's did not like being set to GMT in the time zone and the time was an hour out, people where able to login though! So I've now set them to Eurpoe\London and they're now picking up the correct time and even picked up the daylight savings over the weekend.
  Our DNS is still not great but we are in the process of sorting out our subnets and when we do the consolodation we'll also asign reservations for all the mac's in the hope that apeases DDNS
  Thanks Paul

• Cisco ISE 1.3 Active Directory issue

  Hi Folks
  I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

  hi
  i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
  i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
  it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
  guillaume

• CCE Web Administration - Active Directory issue when managing agent attributes

  I am experiencing an issue when managing agents (supervisors specifically) in CCE Web Admin.  When attempting to add / remove / modify an Attribute for a supervisor agent we are getting an error that the supervisor must have a valid active directory account.  (Screenshot attached)  The agents that this is affecting are correctly configured in ICM as a supervisor and ICM was able to successfully move their AD account into the 'Config' AD Security Group.  From looking at the logs on the AWS it appears that the Web Admin tool is attempting to lookup their account in AD via UPN by appending their username to the domain name.  
  Log Snippet:  
  exception=com.cisco.ccbu.api.jaxb.error.ApiException: supervisorUserInfo.userName: Could not find user. Check if a domain account exists for [email protected]
  This isn't going to work for some users in our account because we have multiple suffixes in our domain.  (Our domain is a single forest and I'm not aware of a requirement to have a single suffix.)
  I'm curious why it wouldn't use samaccountname which is what I believe ICM Configuration Manager is using.  Has anyone else experienced this issue?

  Lo and behold, my AD sync started working.
  Though I have added the site to my local intranet sites, I'm not very confident whether this was the actual solution. I've performed several actions configuring my farm before I started troubleshooting this issue again, so it might be another action that
  solved this.
  Alemaitre: can you try the following please:
  See if the SharePoint Web Service site is started in IIS.  If not, start it, see if that works.
  Instead of adding the site to your Trusted Sites, try Local Intranet Sites (click Advanced to add sites besides using auto-discovery)
  Turn the Security Level for the zone all the way down.
  Turn off Compression for your site in IIS, do an iisreset, see if that works.
  I've also had to remove a host header from my MySite portal (running on port 8080 here), unlikely for this to be the cause but it's just one of the things I did this morning :-)
  Should I think of anything else, I'll let you know.
  Bonne chance.

• Active directory issue

  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

  sir, i means that secondary domain server is down due to system motherboard issue.so guide to me that how remove all setting of the secondary domain from primary domain. (shankarpack.com).
  errors are :
  Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more
  domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
  Source domain controller: 
   AVS1 
  Failing DNS host name: 
   f0c8f1a9-50fd-4785-8ca4-29b1d824b251._msdcs.shankarpack.com 
  NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
  Registry Path: 
  HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
  User Action: 
   1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined
  in MSKB article 216498. 
   2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
   3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
    dcdiag /test:dns 
   4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
    dcdiag /test:dns 
   5) For further analysis of DNS error failures see KB 824449: 
     http://support.microsoft.com/?kbid=824449 
  Additional Data 
  Error value: 
   11004 The requested name is valid, but no data of the requested type was found. 
  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".
  This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are
  preventing validation of this role. 
  Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
  FSMO Role: DC=shankarpack,DC=com 
  User Action: 
  1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
  2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity,
  DNS name resolution, or security authentication that are preventing successful replication. 
  3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server.
  This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
  The following operations may be impacted: 
  Schema: You will no longer be able to modify the schema for this forest. 
  Domain Naming: You will no longer be able to add or remove domains from this forest. 
  PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
  RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
  Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

• Active directory issue regarding time (DST) - Cant bind any Macs to 2000 AD

  I am working with a new server at a small mostly Windows based school district. I am here to do a small AD/OD integration with nothing out of the normal. They are using Windows 2000 server and 10.4.11 with all the current software updates. I tested binding to their AD several months back and it ran without a hitch. Now, today when I attempted to bind their new Intel Xserve running 10.4.11 to their AD, it fails yielding the "Active directory only permits slight variations between the clocks..." error message.
  I have seen this before and the message has always been very descriptive in describing the problem (time is off on one end or the other). The issue here is that the machines are all running within a second or two of each other. I verified this my self several times on all the AD servers, each mac client and the mac server. I also checked other normal pitfalls and could not find anything. I can reproduce this error on 10.4.11 server, 10.4.11 client and 10.5.2 client (my laptop) so its not any specific install of OS X, its something in AD.
  Is there any chance that this has something to do with the recent changes to daylight savings time? The on-staff admin at the district manually moved the time ahead one hour on Monday morning to bring the windows system up to the current time. As I stated before, this district uses 2000 server. MS does not support 2000 any more and has not issued any updates regarding the recent daylight savings time changes. I have done a ton of searching and I have not been able to find any other mention of such an issue as I would assume that it would be rather wide spread.
  Any help would be appreciated. Thanks!

  Hi
  You can extend the time difference from the default 5 minutes to 10 minutes. This is done on the AD Server either using the GMM or the DMM. This might help with the issue you are seeing.
  Failing that you could point the AD to an internet based time server along with everything else on the network OR make everything on the network use the AD as the time server.
  Apologies if you have already tried this, Tony

• Identity services engine Active directory issue

  Hi Folks
  We have two ISE instances running in a virtual machine environment on a Cisco UCS . Both ISE’s are running version 1.1.4 and have been patched to the latest engine patch for that version (patch 11).   The primary is setup to be the administration primary and the monitoring secondary and the secondary ISE  is setup as the administration secondary and the monitoring primary.  
  The Cisco UCS is connected to a pair of Nexus 5548 switches and they are connected to our core switches both Cisco 6500’s. 
  At the moment both ISE's can connect to Active Directory (test connection) but only the secondary can join. The error message I am getting on the priimary is:
  Cannot open file /var/centrifydc/previous/kset.domain: No such file or directory
   due to unexpected configuration or network error.
  Please try the --verbose option or run  adinfo --diag  to diagnose the problem.
  Join to domain  staff.local , zone  null  failed.
  Has anyone seen this error  before? I have compared the configs of the two instances and found no differences in configuration. One major difference I did find was that the primary is running Red Hat and the secondary is running Ubuntu.

  Duplicate post. 
  Go HERE.

• Odd Active directory issue

  Some background. The company I work for is almost all PC, however, our graphic designers run mac, for obvious reasons. I'm the only I.S. tech with any mac experience at all, so it has fallen on me to get them all officially on the domain now.
  I'm using my G3 ibook as a testbed for this, and so far, rather easily I have used the directory access module to get myself on the domain, and authenticated. I can smb\\______ to any server or network share resource I need. However, when I click on the network icon in finder, I am presented with a list of our domain resources (about 50). From there, I select the main device domain which should contain all the PC's/printers/fileservers for my company (around 5500). Despite all my best attempts, I cannot get finder to show more than the first 2200 or so items.
  Here's the odd thing. I installed a demo of AdmitMAC (which we are not able to purchase for these users, i'm told now) and I am able to see all 5500 items in finder. Any ideas?
  IbookG3 600 - 512 - 30GB - Airport   Mac OS X (10.3.9)  
  Asus K8VSE - AMD64 3200+ - 1024DDR   Windows XP Pro  

  This most likely isn't related to Active Directory but rather the Mac OS X SMB client. They are related but don't do the same thing.
  I suspect the reason that the ADmitMac client worked for you is that it either has a more robust SMB browsing mechanism or it's better able to work with your network's Master Browser workstations. Windows machines (or most modern SMB clients) can nominate the most robust machines on the network to be Master Browsers for the network, which then pass the network list to the other computers. Domain controllers typically assume this role when a domain is present.
  Sorry that this isn't a solution but maybe it will give you some insight into what's happening.
  1 GHz Powerbook G4   Mac OS X (10.4.6)  

• Pulling "cn=Users" account data from Active Directory issue

  I'm using the following general syntax:
  ldapsearch -h <active directory server> -p 389 -D "CN=Administrator,CN=Users,dc=ORACLE,dc=COM" -b "DC=ORACLE,DC=COM" -s base objectclass=*
  What I get is only "cn=System" output. Any ideas to get the "cn=Users" data?? I can authenticate users in other ways using the Oracle LDAP tools through the same "active directory server". So it's not a matter of it not existing in the Active Directory Server. Also, there is no password right now for the "Administrator" account; so it's not a matter of including/excluding the "-w" option.
  Any suggestions??
  Thanks.

  I recommend you to post this here:
  Forums Home » Oracle Technology Network (OTN) » Products » Application Server » Oracle Internet Directory
  Identity Manager
  Joel Pérez
  http://otn.oracle.com/experts

• Synchronization with Active Directory issue - Error ID 1004

  I  found the Application Event Log error below.  
  Error ID 1004: The resource 'D:\SharePoint 2010\14.0\Service\Microsoft.ResourceManagement.Service.exe' does not exist.
  This means, the Network Service account does not have rights to the %programfiles%\Microsoft Office Servers\14.0 folder so,
  the User Profile Synchronisation with Active Directory does not run properly.
  The solution is to grant read access to the Network Service account to the  ...\14.0 folder.
   https://support2.microsoft.com/kb/2473430?wa=wsignin1.0
  But I cannot find %programfiles%\Microsoft
  Office Servers\14.0 folder. Instead
  there is a folder in D drive: 'D:\SharePoint 2010\14.0 and I granted read access to the Network Service account to this
  folder and ran Full synchronization but still not a joy.
  Could you please advise me?
  Thanks

  Thanks Victoria, 
  I granted full access to the user
  NETWORK SERVICE:, which
  is listed in the error message on the folder D:\SharePoint 2010\14.0.
  Then reset IIS and ran a full
  synchronization, but there are still some user accounts who are a member of an AD group (this AD group has contribute right to the Intranet)  and when
  I check permission for those users, it seems they don't inherit permission from that AD group.
  For example :
  AD group name: TeamMembers
  TeamMembers has contribute
  permission.
  user1, user2, user3 and user4 are  members of TeamMembers
  user1 and user2 have contribute
  permissionGiven through the "TeamMembers"
  group.
  user3 and user4 have no permission!!!
  I don't know what the problem is. I don't have access to Active Directory but the people who have access to  say all users are  members of that AD group.
  Could you please advise?
  Thanks

• Strange DNS, Group Policy & Active Directory Issues - Can't track down root issue!

  For the last few weeks, we've been getting complaints, from our developers, about not being able to authenticate on various systems.  The issues were hit & miss but still problematic enough to warrant our looking into it.  It seems to be getting
  worse...  I now have new servers that aren't getting group policy updates.  They may get some, like the list of local admins but won't pick up NTFS permissions for folder-access.  Those that pick up the AD group full of local admins have trouble
  authenticating members of the group.  Some were showing event log entries regarding authentication issues due to being unable to contact an AD DC.  We reloaded that DC but many of the issues still persist.  At this point, I'm running
  out of places to look for ideas.  I've spent the last week looking up Event Log IDs and looking though their meanings and possible remedies but, again, the issues persist.  It doesn't seem to matter what the OS is.  We've been seeing
  this on 2008, 2008-R2 & 2012-R2.
  Here are some examples of events I'm seeing.  I can't figure out the root cause(s).
  Log Name: Application
  Source: Group Policy Files
  Date: 2/19/2015 2:35:12 PM
  Event ID: 4098
  Task Category: (2)
  Level: Warning
  Keywords: Classic
  User: SYSTEM
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  The computer 'uptime.exe' preference item in the 'APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}' Group Policy Object did not apply because it failed with error code '0x80090006 Invalid Signature.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Group Policy Files" />
  <EventID Qualifiers="34305">4098</EventID>
  <Level>3</Level>
  <Task>2</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T19:35:12.000000000Z" />
  <EventRecordID>1871</EventRecordID>
  <Channel>Application</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>computer</Data>
  <Data>uptime.exe</Data>
  <Data>APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}</Data>
  <Data>0x80090006 Invalid Signature.</Data>
  </EventData>
  </Event>
  Log Name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 2/19/2015 9:38:13 AM
  Event ID: 20499
  Task Category: None
  Level: Warning
  Keywords:
  User: NETWORK SERVICE
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  Remote Desktop Services has taken too long to load the user configuration from server \\h2s3-addc1.HOMENET.local for user RSickler
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
  <EventID>20499</EventID>
  <Version>0</Version>
  <Level>3</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x4000000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T14:38:13.182363700Z" />
  <EventRecordID>4</EventRecordID>
  <Correlation />
  <Execution ProcessID="1932" ThreadID="2156" />
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-20" />
  </System>
  <UserData>
  <EventXML xmlns="Event_NS">
  <ServerName>\\h2s3-addc1.HOMENET.local</ServerName>
  <UserName>RSickler</UserName>
  </EventXML>
  </UserData>
  </Event>
  Note that these servers are sitting in OUs that are full of other servers that don't have these issues.  These GPOs have been in place for years.  I suspect there's a deeper issue with AD, GP or a combination thereof.  The group policy issues
  seem to only affect freshly loaded servers...

  Hello,
  assure that no firewall is blocking connection for AD required ports as listed in
  https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
  You have error about not connect setup from AD sites and services with the used subnets in your network and linking them to the correct site, please check this in AD sites and services and also have the DCs placed correct to the site they belong to.
  "During the past 4.20 hours there have been 83 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to
  any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet
  object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially,
  in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'.
  The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
  the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes."
  This error is about a not run adprep /rodcprep:
  Starting test: NCSecDesc
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=ForestDnsZones,DC=HOMENET,DC=local
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
  So either run the command on a DC or ignore this error.
  Please provide also the following data as file:
  ipconfig /all >c:\ipconfig.log [all DCs]
  dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
  repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
  dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
  ADREPLSTATUS:
  http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.
  As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!)
  https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  
  Info you requested:
  ipconfig_dcs.txt
  dcdiag.txt
  repl.log
  dnslint.htm
  ADREPLSTATUS: ADReplicationStatus.2015.2.23.9.21.16.csv ADReplicationStatusToolData.zip

• ISE / Active Directory: issue to get users group

  Hello,
  We have a strange issue:
  - ISE 1.2 patch 8
  - no WLC, autonomous AP
  In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
  We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
  In one more rules to grant authentication from APs to register in WDS: user in local database.
  In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
  (so 3 rules), and one more to authorise the internal base for WDS.
  We have something strange:
  - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
  Exemple:
  1- OK:
  Authentication Details
  Source Timestamp
  2014-05-15 11:43:19.064
  Received Timestamp
  2014-05-15 11:43:19.065
  Policy Server
  radius
  Event
  5200 Authentication succeeded 
  All the GROUPS of user are seen:
  false
  AD ExternalGroups
  xx/users/admexch
  AD ExternalGroups
  xx/users/glkdp
  AD ExternalGroups
  x/users/gl revue écriture
  AD ExternalGroups
  xx/users/pcanywhere
  AD ExternalGroups
  xx/users/wifidata
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa informatique
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa entreprises et cités
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa campus
  AD ExternalGroups
  xx/users/aiga_creches
  AD ExternalGroups
  xx/users/admins du domaine
  AD ExternalGroups
  xx/users/utilisa. du domaine
  AD ExternalGroups
  xx/users/groupe de réplication dont le mot de passe rodc est refusé
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange view-only administrators
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange public folder administrators
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/administrateurs
  AD ExternalGroups
  xx/builtin/utilisateurs
  AD ExternalGroups
  xx/builtin/opérateurs de compte
  AD ExternalGroups
  xx/builtin/opérateurs de serveur
  AD ExternalGroups
  xx/builtin/utilisateurs du bureau à distance
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  RADIUS Username
  xx\cennelin
  Device IP Address
  172.25.2.87
  Called-Station-ID
  00:3A:98:A5:3E:20
  CiscoAVPair
  ssid=CAMPUS
  ssid
  campus 
  2- NO OK later:
  Authentication Details
  Source Timestamp
  2014-05-15 16:17:35.69
  Received Timestamp
  2014-05-15 16:17:35.69
  Policy Server
  radius
  Event
  5434 Endpoint conducted several failed authentications of the same scenario
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Root cause
  Selected Authorization Profile contains ACCESS_REJECT attribute 
  Only 3 Groups of the user are seen:
  Other Attributes
  ConfigVersionId
  5
  Device Port
  1645
  DestinationPort
  1812
  RadiusPacketType
  AccessRequest
  UserName
  host/xxxxxxxxxxxx
  Protocol
  Radius
  NAS-IP-Address
  172.25.2.80
  NAS-Port
  51517
  Framed-MTU
  1400
  State
  37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
  cisco-nas-port
  51517
  IsEndpointInRejectMode
  false
  AcsSessionID
  radius/189518899/49890
  DetailedInfo
  Authentication succeed
  SelectedAuthenticationIdentityStores
  AD1
  ADDomain
  xxxxxxxxxxx
  AuthorizationPolicyMatchedRule
  Default
  CPMSessionID
  b0140a6f0000C2E15374CC7F
  EndPointMACAddress
  00-xxxxxxxxxxxx
  ISEPolicySetName
  Default
  AllowedProtocolMatchedRule
  MDP-PC-PEAP
  IdentitySelectionMatchedRule
  Default
  HostIdentityGroup
  Endpoint Identity Groups:Profiled:Workstation
  Model Name
  Cisco
  Location
  Location#All Locations#Site-MDP
  Device Type
  Device Type#All Device Types#Cisco-Bornes
  IdentityAccessRestricted
  false
  AD ExternalGroups
  xx/users/ordinateurs du domaine
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  Called-Station-ID
  54:75:D0:DC:5B:7C
  CiscoAVPair
  ssid=CAMPUS 
  If you have an idea, thanks so much,
  Regards,

  To configure debug logs via the Cisco ISE user interface, complete the following steps
  :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
  You can use the Filter button to search for a specific node, particularly if the node list is large.
  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

• Andrioid 4.4.4 Galaxy S5 and Exchange 2010 / Active Directory issue

  I have posted this here because I don't see a category for Exchange 2010 which is what we currently use and I am not sure where else to post it. Please redirect if needed.  Thanks in advance.
  I am an IT Tech and I am trying to connect my phone to my email using the standard email application on the phone, with no success. 
  I was convinced for a long while that it was my phone. 
  I tried everything I could with the phone and restricting background data and everything but nothing worked. 
  I type in the credentials and it accepts them and shows me the mailbox but then it never loads the mail and folders. 
  I must have gone through this process 100 times and occasionally I get a message saying the certificate is incorrect do I want to accept it anyway. 
  I view the certificate and it is for another domain.  When that doesn’t happen I just get pushed from checking the server setting and then it moves right to the settings of the mailbox. 
  However I don’t get the warning like I did when I created a new mailbox and AD account.
  Create new exchange mailbox/ AD account – This worked, but ultimately I want my current user name and mailbox to work. 
  I don’t want to move to a new one if I don’t have to – I created a new mailbox which intern created an AD account. 
  After this was done I attempted to sync this account with the phone. 
  It worked first time without a problem.  After the phone checked the server settings it gave me the warning that I was going to have to let the server control the device like it always does. 
  It also made me accept the System Administrator settings. 
  I sent a test email to and from it with no problem.
  There are other people on our server with Galaxy S5’s and other Android based devices and I have added mail to their devices just like I would my device and they have no problems at all. 
  I have matched up the mailbox settings and AD settings and everything is the same for the most part. 
  It is bound to be a little different because I am an IT Tech so obviously I have more than the others, but I don’t feel like additional security should not allow me to add to my mailbox to my device 
  Other things I tried through the process, with no success, in no particular order are:
  Tried connecting my account from different devices
  Disconnected and recreated mailbox
  Deleted and recreated AD account
  There is one thing I noticed in the security tab of the AD account, other people using our mail system and Android based devices have something called
  Data Sync.  That is some sort of contact in AD
  I guess.  I cannot find any information about it and when I add it to my security tab, it will not stay. 
  After I close AD and check back 15 minutes late it is gone. 
  I am trying to describe this the best possible way.  Has anyone experienced similar issue? 
  If there is any further information needed feel free to ask. 

  Then I would firstly suggest visiting the Remote Connectivity Analyzer Website to check common availability to your mailbox. Just run through the test.
  I ran this test as suggested two different ways.  With my user name and password and then a second time with the mail server.  Both times in failed all tests with the exception of the following three:
  Attempting to resolve the host name in DNS.
  Testing the TCP port 443 on host to ensure it's listening and open.
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server on port 443.
  All three of these passed.  I am not sure what most of this means, but we have people in the company a variety of different devices that connect with no problem.  For this reason I believe this problem is localized to my AD account or my mailbox,
  I have matched up settings with people that I know have the same device and use it on a daily basis with no problem and can not find anything different.

• Strange Active Directory issue on 2012 R2 2ND-DC with 2003 R2 PRI-DC

  I ran into this issue earlier today which is something I haven't seen before. 
  Current setup is 1 Forest & 1 Domain with a single Domain Controller (W2003 R2) which obviously has all the FSMO roles since it's the only DC in the domain ever installed. We're ready to decommission this OLD W2003r2 server so I prepped a new machine
  and installed Windows Server 2012 r2 on it, all patched up. 
  Done the followings:
  1. Joined the new server to the domain (successful)
  2. promoted the new server to a domain controller (successful without any errors or warnings)
  3. Verified that the DNS records have replicated from the primary DC to the 2nd DC (successful)
  4. Verified that I was able to access the AD services on the new domain controller, users, ou's, sites etc. (successful)
  5. Verified replication of AD objects by adding users/ou's/distribution groups on Primary DC and see them replicate over and vice-versa (successful)
  I waited about an hour just to make sure that everything has replicated over and was in sync and decided to shutdown the primary server (domain controller) to make sure things were functional on the new one and as soon as the old DC was shutdown I wasn't
  able to open any of the AD services like AD Domain and Trusts, AD users and computers or AD Sites and Services. The window opened but my domain wasn't listed and neither of the related objects. What is the issue here? Shouldn't the secondary domain controller
  be a replica of the primary where I can see all the objects and make changes which will sync back once the primary comes up again. I've worked in setups where we had two DC's in one domain and I was able to view the AD objects and services regardless if one
  of the DC was not available, same thing in a setup with 3 DC's. 
  If someone can chime in on this it would be great, I'm not sure if I'm missing but it's weird.
  Regards

  Did you apply the hotfix to the 2012R2 server:
  http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
  Mike
  NOTICE: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Active Directory Migration from 2003 to 2012 Process Flow

  We are planning to migrate from Windows Server 2003 AD to Windows server 2012 Server for 6000 Users,
  Can any one suggest  on Following .
  1)What is the Best and Safe Way to do Migration
  2) What are the Precautions should take,
  3) How much downtime it will take,
  4) If migration Failed how we can revert to Earlier
  5) How to do Migration Step by Step
  Current Environment:
  Domain Having  One PDC(server 2003 R2) and 8 ADC(Server 2003 R2) in Different Locations
  PDC having All FSMO Roles and Global Catalog
  Exchange server 2007 was integrated to Active Directory 
  And some Application are integrated to  Active Directory 

  1) I would recommend you first run a test of the steps in test before you do this in production.  Otherwise your production becomes test.
  2) By doing in test, you have taken a large amount of the risk out of the upgrade since, in test you should be able to look for any unforseen issues.  The easiest way to test is to build a virtual fence from production and clone the DC's and member
  servers that you want to test against (This is assuming you are running in a virtual environment).  Ensure that you production environment is error free.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx
  3) There should be no downtime at all, you can just extend the schema and then promote a new 2012 DC (I would recommend R2 if you can).
  4) Before you do the schema extension you should take 2 backups on two different DC's.  Taking two gives you less of a chance of a problem if one of the backups fails.
  5)
  Take a backup
  Extend the schema
  Join the 2012 R2 servers to the domain
  Add the ADDS role to the 2012 R2 member servers
  Promote the 2012 R2 DC's
  Transfer the FSMO roles to the 2012 R2 DC's (Not required but recommended)
  If you want to retire the 2003 DC's, then you will need to make sure that any clients pointing to the 2003 DC's for DNS are pointing to other DC's.
  If you do retire the 2003 then you can think about updating the DFL and FFL of the domain and forest.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.