ISE / Active Directory: issue to get users group

Similar Messages

• Pre-populate adapter for setting the Active Directory OU for a user

  Hi All
  I created a pre-populate adapter that set the Active Directory OU for a user...
  In the end the status of the resource is still showing "provisioning"..
  It must be "Provsioned"..did I miss something ?
  The logs speak as below :-
  08:01:12,678 INFO [STDOUT] Running Create User
  08:01:12,678 INFO [STDOUT] Before appending Root Context:OU=Human Resources,
  08:01:12,678 INFO [STDOUT] tcUtilLDAPController.java : hierString : OU=Human Resources,dc=mydomain,dc=com
  08:01:13,553 ERROR [ACTIVEDIRECTORYCONTROLLER] Problem creating object: javax.naming.OperationNotSupportedException: [LD
  AP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
  ]; remaining name 'cn=ASYMONDS'
  08:03:18,756 INFO [[xlWebApp]] action: LogonAction: User 'XELSYSADM' logged on in session 8116CBC0FA1481D06A207A1941B9
  E096
  08:22:31,256 ERROR [WEBAPP] Class/Method: ProvisionedResourcesForUserAction/confirmEnableSelection encounter some proble
  ms: No checkbox was checked.

  Just verify the OU value is correctly populated , first try doing the provisioning by manually giving OU and everything .
  Is it successful ?
  Then we can check if something wrong going with pre pop.
  Thanks
  Suren

• Sharepoint 2010 get User Groups from specific site

  Hello,
  I was able to get all User groups from entire site Collection.
  But instead of getting user groups from entire site, I want read user groups only from one specified sub site.
  Please help!
  Thanks

  Assuming you have an SPWeb object named "web", example:
  SPSite site = new SPSite(http://yourdomain/sites/yoursite);
  SPWeb web = site.OpenWeb("mysubsite/subsbusite");
  web.Groups will return a collection of SPGroup objects for the current subsite. If this subsite inherits permissions from a parent site (web.HasUniquePerm = False), the list is the same as the Groups property of the parent site.
  SPWeb.Groups:
  http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.spweb.groups(v=office.15).aspx
  SPGroup:
  http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.spgroup(v=office.15).aspx
  You would be better results by posting coding questions in "SharePoint 2010 - Development and Programming" instead of "SharePoint 2010 - General Discussions and Questions".
  Mike Smith TechTrainingNotes.blogspot.com
  Books:
  SharePoint 2007 2010 Customization for the Site Owner,
  SharePoint 2010 Security for the Site Owner

• Cisco ISE 1.3 Active Directory issue

  Hi Folks
  I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

  hi
  i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
  i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
  it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
  guillaume

• Cisco ISE Active Directory Add Group

  Hi,
  I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
  I have attached a print capture of the "add group" for reference.
  Any suggestion is appreciated.

  I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
  Sent from Cisco Technical Support Android App

• Pulling "cn=Users" account data from Active Directory issue

  I'm using the following general syntax:
  ldapsearch -h <active directory server> -p 389 -D "CN=Administrator,CN=Users,dc=ORACLE,dc=COM" -b "DC=ORACLE,DC=COM" -s base objectclass=*
  What I get is only "cn=System" output. Any ideas to get the "cn=Users" data?? I can authenticate users in other ways using the Oracle LDAP tools through the same "active directory server". So it's not a matter of it not existing in the Active Directory Server. Also, there is no password right now for the "Administrator" account; so it's not a matter of including/excluding the "-w" option.
  Any suggestions??
  Thanks.

  I recommend you to post this here:
  Forums Home » Oracle Technology Network (OTN) » Products » Application Server » Oracle Internet Directory
  Identity Manager
  Joel Pérez
  http://otn.oracle.com/experts

• ISE 1.2 & AD & Meraki - Per User Group Policy ?

  I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
  1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
  2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
  I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
  Thanks,
  Nathan

  Please find the Meraki_ISE integration doc. in attachment.
  When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
  In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
  MAC-based access control (no encryption)
  WPA2-Enterprise with 802.1x authentication
  A per-user VLAN tag can be applied in 3 different ways:
  The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
  The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
  On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

• CCE Web Administration - Active Directory issue when managing agent attributes

  I am experiencing an issue when managing agents (supervisors specifically) in CCE Web Admin.  When attempting to add / remove / modify an Attribute for a supervisor agent we are getting an error that the supervisor must have a valid active directory account.  (Screenshot attached)  The agents that this is affecting are correctly configured in ICM as a supervisor and ICM was able to successfully move their AD account into the 'Config' AD Security Group.  From looking at the logs on the AWS it appears that the Web Admin tool is attempting to lookup their account in AD via UPN by appending their username to the domain name.  
  Log Snippet:  
  exception=com.cisco.ccbu.api.jaxb.error.ApiException: supervisorUserInfo.userName: Could not find user. Check if a domain account exists for [email protected]
  This isn't going to work for some users in our account because we have multiple suffixes in our domain.  (Our domain is a single forest and I'm not aware of a requirement to have a single suffix.)
  I'm curious why it wouldn't use samaccountname which is what I believe ICM Configuration Manager is using.  Has anyone else experienced this issue?

  Lo and behold, my AD sync started working.
  Though I have added the site to my local intranet sites, I'm not very confident whether this was the actual solution. I've performed several actions configuring my farm before I started troubleshooting this issue again, so it might be another action that
  solved this.
  Alemaitre: can you try the following please:
  See if the SharePoint Web Service site is started in IIS.  If not, start it, see if that works.
  Instead of adding the site to your Trusted Sites, try Local Intranet Sites (click Advanced to add sites besides using auto-discovery)
  Turn the Security Level for the zone all the way down.
  Turn off Compression for your site in IIS, do an iisreset, see if that works.
  I've also had to remove a host header from my MySite portal (running on port 8080 here), unlikely for this to be the cause but it's just one of the things I did this morning :-)
  Should I think of anything else, I'll let you know.
  Bonne chance.

• 10.5.5 Active directory problem for mobile users

  I an running 10.5.5 on a MBP 2.4. The computer is attached to Active Directory for authentication. The accounted is setup as a mobile user with automatic home sync. Below is the problem I'm experiencing after 10.5.5.
  Upgrade worked fine, everything went through as expected. When I got home with computer, couldn't login. I did eventually get logged in, computer became extremely unresponsive at intermittent times.
  At work next day, everything worked fine.
  I believe this is a problem with 10.5.5 computers that are bound to AD, when AD is not available (but internet is.) Some type of weird priority locking or timeout setting? It seems to fail immediately if no network is available, but if the internet is available it is like it gets "hung" waiting for a response.
  Anybody else having similar problems?
  Below are the details on the specific tests that brought me to this conclusion.
  1) Boot with work network cable connected - Works fine
  2) Boot with work wifi network enabled - works fine
  3) Boot with public wifi network enabled and work cable - works fine.
  4) Boot with only public wifi - appears "frozen" (turned off after 5 minutes of trying to login)
  5) Boot without network or wifi - works fine using cached mobile account info
  6) Boot with network cable and public wifi, remove network cable after login- works fine for a period becomes periodically frozen. attempts to do anything become queued, when computer starts responding queue emptys out (can see menus / applications switch around to correspond with clicks.)
  7) Change account to Manual sync of mobile account, again boot with network cable and public wifi, remove network cable- no freezing responds normaly.
  All steps repeated after rebinding computer to AD - same results.

  First rule of installing an upgrade, run permissions repair both before & after. Did you do that?
  I'm using a Mac dual bound to AD & OD, works perfectly. I can't speak for the exact setup of your network but I personally would be suspicious of AD. I had a similar issue some time back where my processor would go crazy with the net directory authentication running like crazy. Turned out AD had somehow forgotten my computer. It only happened away from work where my Mac couldn't contact the AD server (not exactly sure why). I'd try the following.
  1. While at work create a local administrative account on your Mac (you should always have a backup account anyway).
  2. Login as local admin account.
  3. open Directory Utility from the Applications/Utilities folder & remove the AD server (you'll need an account that can bind machines to AD).
  4. re-add your Mac to AD.
  This may resolve your issue & shouldn't hurt anything in the least.

• Active Directory Issues 10.7.4 & 10.7.5

  Hi
  I'm having problems with all my 10.7.4 & 10.7.5 mac's. They're losing their connection to AD. When I got to unbind I get the follwing error:
  Unable to access domain controller
  This computer is unable to access the domain controller for an unknown reason. Warning: If you click force unbind you will leave an unused computer account in the directory.
  I then get an option to ok or force unbind. If I force unbind if I force unbind I get the following error:
  An unknown error occurred
  An unknown error occurred
  Helpful, I'm sure you'll agree! If I go in to Console I can see the following to errors:
  02/10/2012 16:01:25.682 Directory Utility: An instance 0x7f8f02b30f30 of class ODCUnbindFromADAction was deallocated while key value observers were still registered with it. Observation info was leaked, and may even become mistakenly attached to some other object. Set a breakpoint on NSKVODeallocateBreak to stop here in the debugger. Here's the current observation info:
  <NSKeyValueObservationInfo 0x7f8f02b56970> (
  <NSKeyValueObservance 0x7f8f02b568c0: Observer: 0x7f8f01cea980, Key path: progressStatus, Options: <New: NO, Old: NO, Prior: NO> Context: 0x0, Property: 0x7f8f02b569a0>
  and...
  02/10/2012 16:03:32.463 Directory Utility: -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007 "The operation couldn’t be completed. (OSStatus error -60007.)" (The authorization was denied since no user interaction was possible. )
  When users are curently logged in they lose access to SSH sessions, and network drives etc... they have had issues with saving work and subsiqently losing it!
  When I go in to opendirectyd.log I see the following:
  2012-10-02 15:37:42.208 BST - opendirectoryd (build 172.17) launched...
  2012-10-02 15:37:42.265 BST - Logging level limit changed to 'error'
  2012-10-02 15:37:42.902 BST - Initialize trigger support
  2012-10-02 15:37:42.904 BST - Registered node with name '/Active Directory' as hidden
  2012-10-02 15:37:42.904 BST - Registered node with name '/Configure' as hidden
  2012-10-02 15:37:42.905 BST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
  2012-10-02 15:37:42.905 BST - Registered node with name '/Contacts'
  2012-10-02 15:37:42.906 BST - Registered node with name '/LDAPv3' as hidden
  2012-10-02 15:37:42.939 BST - Registered node with name '/Local' as hidden
  2012-10-02 15:37:42.964 BST - Registered node with name '/NIS' as hidden
  2012-10-02 15:37:42.965 BST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
  2012-10-02 15:37:42.965 BST - Registered node with name '/Search'
  2012-10-02 15:37:43.024 BST - Discovered configuration for node name '/Active Directory/NUCA-AD' at path '/Library/Preferences/OpenDirectory/Configurations/Active Directory/NUCA-AD.plist'
  2012-10-02 15:37:43.024 BST - Registered subnode with name '/Active Directory/NUCA-AD'
  2012-10-02 15:37:43.024 BST - Registered placeholder subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:43.040 BST - Discovered configuration for node name '/LDAPv3/nuca-mon1.nuca.ac.uk' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/nuca-mon1.nuca.ac.uk. plist'
  2012-10-02 15:37:43.040 BST - Registered subnode with name '/LDAPv3/nuca-mon1.nuca.ac.uk'
  2012-10-02 15:37:43.108 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
  2012-10-02 15:37:43.307 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
  2012-10-02 15:37:44.311 BST - '/Search' has registered, loading additional services
  2012-10-02 15:37:44.311 BST - Initialize augmentation support
  2012-10-02 15:37:44.352 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
  2012-10-02 15:37:44.423 BST - Successfully registered for Kernel identity service requests
  2012-10-02 15:37:44.482 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
  2012-10-02 15:37:44.566 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
  2012-10-02 15:37:45.461 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
  2012-10-02 15:37:45.463 BST - Registered subnode with name '/Local/Default'
  2012-10-02 15:37:45.556 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2012-10-02 15:37:45.600 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'
  2012-10-02 15:37:45.645 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle'
  2012-10-02 15:37:45.654 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/Kerberosv5.bundle'
  2012-10-02 15:37:45.858 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/NetLogon.bundle'
  2012-10-02 15:37:45.858 BST - Registered subnode with name '/Active Directory/NUCA-AD/nuca.ac.uk' as hidden
  2012-10-02 15:37:45.859 BST - Unregistered placeholder node with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.860 BST - Registered subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.861 BST - Registered subnode with name '/Active Directory/NUCA-AD/Global Catalog' as hidden
  2012-10-02 15:37:57.468 BST - failed to retrieve password for credential
  2012-10-02 15:37:59.051 BST - failed to retrieve password for credential
  2012-10-02 15:38:04.052 BST - failed to retrieve password for credential
  2012-10-02 15:38:14.054 BST - failed to retrieve password for credential
  2012-10-02 15:38:29.056 BST - failed to retrieve password for credential
  2012-10-02 15:38:49.076 BST - failed to retrieve password for credential
  2012-10-02 15:39:11.505 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'
  2012-10-02 15:39:11.900 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'
  Interestingly enough, the problem doesn't seem to effect users runing 10.6.8 or my iMac which is running 10.8.2. I've spoken to network manager and he can't see anything strange going on, on the network.
  I've also spoekn to our AD guy and nothing has changed.
  This is now the second time it's happend, I've managed to get everyone working (before it happened again) by deleting the AD plist in /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/ then rebinding via a scipt pushed out via ARD
  If anyone can offer any assitance I'd be most gratful as I'm about to be shot by our users! as it's the start of our new academic year!
  Thanks!
  Paul

  It's been a few weeks now, and (touch wood) it's not happended again on mass. We have had a few individual ones, but nothing major.
  We still don't quite know exactly what happened, but trouble shooting found the following:
  Our time server wasn't working corrctly centrifys ADCheck tool showed it as having a firewall (even though it didn't) our AD guy fixed that problem (sorry not sure exactly what he did)
  We checked the AD kerberos ticket from a machine that lost it's connection to AD, on another mac that worked and found that it couldn't connect as the password was wrong. It seems that by default Active Directory ticket wants to change it's password every 14, and when trying to it's failing so I set it to 0
  We had tried to set the server the AD plugin see's to a specific DC but this wasnt happening due to subnets not being configured in AD sites and Services
  Some of the Mac's did not like being set to GMT in the time zone and the time was an hour out, people where able to login though! So I've now set them to Eurpoe\London and they're now picking up the correct time and even picked up the daylight savings over the weekend.
  Our DNS is still not great but we are in the process of sorting out our subnets and when we do the consolodation we'll also asign reservations for all the mac's in the hope that apeases DDNS
  Thanks Paul

• Active Directory Changes have causes users to loose access to Projects they are set as contributor too.

  Hello,
  We recently had an employee of our helpdesk delete (by accident) and recreate a number of Active Directory user profiles.  The profiles were created exactly like they were before, but now those users are not able to access the projects in TFS that they
  have contributor permissions too.  Some of these users can see a minimal set of objects in the Source Control Explorer, but each item has a (+) plus sign next to it as if the object does not exist in the repository.  The users and windows groups
  that are concerned are still listed inside of TFS's group memberships for each project.  I have confirmed that the sync from AD with TFSJobAgent.exe is completing with out errors as well.
  Is this a SID issue where TFS actually thinks that these are new users, and if so how can I best fix it for those users?
  Doug Dayley

  Hi Doug, 
  Thanks for your reply.
  Ok, let’s check whether TFS Server can identify this user and its groups which this user belonged to. Please execute below command for this one user, then view command result, check if the user name and SID both show correctly in result, and whether this
  user belonged to groups all listed in command result.
  Tfssecurity /imx “domain\username” /collection:URL
  If this user’s all information show correctly in command result. Please try to remove this user from your TFS server, then clean the TFS Cache, re-add this user back to TFS Server, then check if this user can access your team project as expect.
  Clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
  Clean the Cache folder on Server machine. The folder path is:
  C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.  
  After cleaned, on Server machine, click Start and select
  Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• ISE : Active Directory integration long usernames sAMAccountname

  Have a customer deploying ISE for wireless authentication using PEAP-MSCHAPv2.  They've encountered an issue where some users with long usernames are failing authentication to ISE.  ISE logs that the user is not found in the user database (Active Directory).
  Upon further review, it appears that ISE is using the sAMAccountname as the username token to authenticate against.
  sAMAccountname is limited to 20 characters. 
  Customer is running a full Windows 2008 domain and users login to the domain using their User Principal Name (no 20 character limit).  Therefore, when the user creates a wireless connection and passes his Windows credentials to PEAP, it fails because the username is too long and ISE does not find user in AD database.
  Is there a way to point ISE to use a different username token instead of sAMAccountname?  or is this a known issue?

  I don't think there is any way to increase the limit of 20 characters. You have to create to user name with 20 characters limit.

• MS Active Directory as LDAP Server - Email & Group variables do not pickup values

  Hello Experts
  We have OBIEE 10.1.3.4.2 using MS Active Directory as LDAP Server. Init Block "Authentication" (4 variables setup - USER, DISPLAYNAME, EMAIL and GROUP) seems to work fine, but when you do a "Test" and supply userid and password , only USER and DISPLAYNAME showup. Email and Group variables are blank.
  Please help .  Thanks  lot in advance.
  Regards.

  Hello Srini
  Just USER and DISPLAYNAME variables get populated and I think they are coming from MSAD. However, the Email and Group membership information from MSAD does not flow back to OBIEE Server.
  Regards

• Active directory issue

  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

  sir, i means that secondary domain server is down due to system motherboard issue.so guide to me that how remove all setting of the secondary domain from primary domain. (shankarpack.com).
  errors are :
  Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more
  domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
  Source domain controller: 
   AVS1 
  Failing DNS host name: 
   f0c8f1a9-50fd-4785-8ca4-29b1d824b251._msdcs.shankarpack.com 
  NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
  Registry Path: 
  HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
  User Action: 
   1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined
  in MSKB article 216498. 
   2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
   3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
    dcdiag /test:dns 
   4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
    dcdiag /test:dns 
   5) For further analysis of DNS error failures see KB 824449: 
     http://support.microsoft.com/?kbid=824449 
  Additional Data 
  Error value: 
   11004 The requested name is valid, but no data of the requested type was found. 
  This is the replication status for the following directory partition on this directory server. 
  Directory partition:
  DC=ForestDnsZones,DC=shankarpack,DC=com 
  This directory server has not received replication information from a number of directory servers within the configured latency interval. 
  Latency Interval (Hours): 
  24 
  Number of directory servers in all sites:
  1 
  Number of directory servers in this site:
  1 
  The latency interval can be modified with the following registry key. 
  Registry Key: 
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) 
  To identify the directory servers by name, use the dcdiag.exe tool. 
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".
  This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are
  preventing validation of this role. 
  Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
  FSMO Role: DC=shankarpack,DC=com 
  User Action: 
  1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
  2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity,
  DNS name resolution, or security authentication that are preventing successful replication. 
  3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server.
  This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
  The following operations may be impacted: 
  Schema: You will no longer be able to modify the schema for this forest. 
  Domain Naming: You will no longer be able to add or remove domains from this forest. 
  PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
  RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
  Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

• Can i recover my all active directory domain computers and users from IFM and in-cooperate them in new forest ??

  My only Active Directory Server on win server 2008 R2 with one domain controller crashed today. The only backup that i had was IFM media.
  So what i have done till now to recover it is a follow
  I reintalled window server but this time it is winserver 2012. I added AD DS role to it. Promoted it to Domain Controller. (functionality level is 2008 R2)
  On second server i installed win 2008 R2 and trying to add additional domain controller from IFM to recover all of my domain users,computers and GPO's. but i am getting this error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XXX, DC=com from the remote domain
  the naming context specified for this replication operation is invalid
  i dont know weather my approach is correct or not
  but my simple questions is
  Can i recover my all domain computers and users from IFM and in-cooperate them in new forest ?? if yes how can i do that?? urgent help required.

  yup exactly i created a new domain(in new forest) with same previous name in window server 2012 on SERVER-1. As ifm file that i had was generated from 2008 r2 so on second server i installed window 2008 r2 and tried to add role of additional domain controller
  from ifm file on SERVER-2 using dcpromo /adv . every step went ok but in last step when it starts replicating domain controllers it poup following error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XYZ, DC=com. .  .
  and roll backs every thing.