NSS4000 Can not see Active Directory Users

Similar Messages

• Can not open Active Directory Users and Computers

  Problem Reported:
  Out of the blue this has started happening:
  When I go to "Active Directory Users and Computers" I get this message.
  "MMC cannot open the file C:\WINDOWS\system32\dsa.msc.
  This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
  Additional information:
  This is a server that has been in use for 2+ years with active directory users that can and do login everyday.
  As far as I know the system has no backup.
  dsa.msc IS located in the system32 folder
  I am using the administrator account.
  OS:
  Microsoft Windows Server 2003 R2
  Standard x64 Edition
  Service Pack 2
  Please help with detail. Thank you.

  Have you tried to uninstall ADUC administrative tool and re-install it again? If no, please give a try. 
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• ARD does not see Active Directory to join Macs

  I just moved to a new company and have been setting up Mac support from the ground up there.
  In my previous school district, I just used a network range to get the computers I was administering, but here, since we have SO MANY network ranges, I decided to try the directory search feature, which I dont remember ARD having.
  Problem is we have no Open Directory here (yet) so the computers are just bought to AD for user login. Is this why I can not see computers populated in the directory search, or is something else wrong here, and I should normally see computers there regardless of the directory type the computer is bound to.
  Worse case I just go searching network ranges by hand, but this would help speed up the proses.

  The MAC information that ARD is going to use when it attempts to query the directory for machines is likely missing from AD.
  Turn on logging for directory services and you can see the request to AD for the machines:
  http://support.apple.com/kb/HT3186
  I had the same situation here at my company between search order of OD and AD. Unfortunately with AD being your only choice you don't have the option of using computer lists as far as I know. What about task server? You'll have to depend on DNS updating properly etc but it'll give you a dynamically updating list as your users move about.

• Server 2008 R2 DNS Server can not open active directory erro 4000

  The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly
  and reload the zone. The event data is the error code. Error 4000
  This just started happening yesterday. Also File service and print server is unable to contact because of this error. I have no lookup zones. When I try and go to the DNS server I get a message The server VETSALDC could be contacted The error was Access
  Denied. Would you like to add it anyway?
  PLEASE HELP

  Hi,
  According to your description, my understanding is that DNS unable to open Active Directory with error 4000.
  This happens when that particular DC/DNS server has lost its Secure channel with itself or PDC. This can also happen in a single DC environment where that DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.
  You may check AD DS using command line “DCdiag” (run as administrator). besides, you may try to stop and restart AD DS service(detailed steps reference the link:
  http://technet.microsoft.com/en-us/library/cc732714(WS.10).aspx ), make sure that the AD DS is running correctly.
  Then restart the DNS service, detailed steps reference the link:
  http://technet.microsoft.com/en-us/library/cc735673(v=ws.10).aspx .
  If the problem still exits, is there any other DC or DNS on your network? Post the TCP/IP parameters (ipconfig /all) of DC and DNS here.
  Best Regards,           
  Eve Wang     
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Window Active Directory users cannot see home drive when logon to Macs

  This problem just occurred, so that tells me either 10.4.9 has done it or a security update to Windows 2003 Server.
  Looking for any tech saavy network guru to help.
  Windows 2003 Server houses active directory. Users in the past were able to log on to a Macintosh computer and their home drive would appear on the desktop.
  Now 'all of a sudden' any user that logs onto a Macintosh computer with an AD account does not see their home drive on the desktop.
  Has anyone else had this problem? Any suggestions on how to resolve it? I haven't unbound the Mac from AD yet will try that tomorrow.
  JTS

  Fixed this...a corrupted keychain item that contained the users prior used network password was the culprit.
  Once I delted the corrupted keychain, active directory users can log on a Mac and see their home directory on the desktop.
  JTS

• Active directory users and computers wont start on a dc, "the server is not operational"

  In our environment, we have 3 dc's 
  two which run server 2008 (they work perfectly)
  and one never off branch dc that runs server 2008 r2.
  We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
  We have a third party DNS solution.
  How do i troubleshoot this issue?

  dc01 (which replicates perfectly with dc02, and vise versa)
  dcdiag /test:dns
  C:\Users\adminuser>dcdiag /test:dns
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: Hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... ourDC01 passed test Connectivity
  Doing primary tests
  Testing server: Hostingpartner\ourdc01
  DNS Tests are running and not hung. Please wait a few minutes...
  Running partition tests on : ForestDnsZones
  Running partition tests on : DomainDnsZones
  Running partition tests on : Schema
  Running partition tests on : Configuration
  Running partition tests on : int
  Running enterprise tests on : int.domain.com
  Starting test: DNS
  Test results for domain controllers:
  DC: ourdc01.int.domain.com
  Domain: int.domain.com
  TEST: Delegations (Del)
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
  Summary of test results for DNS servers used by the above domain controllers:
  DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
  2 test failures on this DNS server
  Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Summary of DNS test results:
  Auth Basc Forw Del Dyn RReg Ext
  Domain: int.domain.com
  ourdc01 PASS PASS PASS FAIL n/a PASS n/a
  ......................... int.domain.com failed test DNS
  dcdiag on dc01(which can replicate with dc02)
  C:\Users\adminuser>dcdiag
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... OURDC01 passed test Connectivity
  Doing primary tests
  Testing server: hostingpartner\ourdc01
  Starting test: Replications
  [Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
  Win32 Error 8453.
  ......................... OURDC01 failed test Replications
  Starting test: NCSecDesc
  ......................... OURDC01 passed test NCSecDesc
  Starting test: NetLogons
  [OURDC01] User credentials does not have permission to perform this operation.
  The account used for this test must have network logon privileges
  for this machine's domain.
  ......................... OURDC01 failed test NetLogons
  Starting test: Advertising
  ......................... OURDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
  ......................... OURDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
  ......................... OURDC01 passed test RidManager
  Starting test: MachineAccount
  ......................... OURDC01 passed test MachineAccount
  Starting test: Services
  ......................... OURDC01 passed test Services
  Starting test: ObjectsReplicated
  ......................... OURDC01 passed test ObjectsReplicated
  Starting test: frssysvol
  ......................... OURDC01 passed test frssysvol
  Starting test: frsevent
  ......................... OURDC01 passed test frsevent
  Starting test: kccevent
  ......................... OURDC01 passed test kccevent
  Starting test: systemlog
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:29
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:50
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:10:56
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:11:17
  (Event String could not be retrieved)
  ......................... OURDC01 failed test systemlog
  Starting test: VerifyReferences
  ......................... OURDC01 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Running partition tests on : DomainDnsZones
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Running partition tests on : Schema
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Running partition tests on : Configuration
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Running partition tests on : int
  Starting test: CrossRefValidation
  ......................... int passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... int passed test CheckSDRefDom
  Running enterprise tests on : int.domain.com
  Starting test: Intersite
  ......................... int.domain.com passed test Intersite
  Starting test: FsmoCheck
  ......................... int.domain.com passed test FsmoCheck
  The problematic dc03:
  Dcdiag gives the same output as dcdiag /test:dns
  C:\Users\adminuser>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = OURDC03
  Ldap search capabality attribute search failed on server NTSDC03, return
  value = 81
  We have an infoblox dns server on ip address xxx.y.y.251.
  first error in event logs on dc03:
  error 1863
  This is the replication status for the following directory partition on this directory server.
  Directory partition:
  CN=Configuration,DC=int,DC=domain,DC=com
  This directory server has not received replication information from a number of directory servers within the configured latency interval.
  Latency Interval (Hours):
  24
  Number of directory servers in all sites:
  2
  Number of directory servers in this site:
  2
  The latency interval can be modified with the following registry key.
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
  To identify the directory servers by name, use the dcdiag.exe tool.
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
  i have also go several warning 2088, 2093, 2087.
  And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones

• Active Directory Users and Computer not displaying column data?

  I am running Windows 8.1 Enterprise with RSAT installed.  My Domain controllers are Server 2008 R2.
  I am having and issue with Active Directory Users and Computers.  Typically I will turn on Advanced Features and then add Columns for Email address and Display Name.  This for example allows me to easily export lists of users and there email
  addresses among other things.
  The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty.  It simply will not display this information.  It only displays Name, TYpe and Description.
  If I use a Windows 7 client, the information displays correctly.
  Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?

  ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
  ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
  Example:
  Import-Module ActiveDirectory
  Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
  So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation.

• Final user's can not see the data due to limited authorization.

  We have created a InfoSet with three info Objects, 0Account, 0Costcenter and 0COMP_CODE. 0Costcenter have an attribute retail location  0RT_LOCATIO.
  0RT_LOCATIO is an authorization relevant object. We as consultants can execute the infoset properly, but final user's with limited authorizations can not see the data because of authorization failier
  We hae several options to solve the issue, deleselect the auth. flag in the infoobject; delete the infoobject from the attributes of the cost center or create an authorization object and assign it to the final user's profile. But we don't want to go that way.
  My question is, is there any way to avoid including this attribute in the infoset definition? We are not using it in the query and we don't need it, so if we could delete it from the infoset (in the same way you add or delete infoobjects from an Infocube) without changing the cost center aster data, we will have our problem solved.
  Does anyone how to do this (if possible)?
  Thanks in advance!

  Just do two things to find the authorization check failed for that user.
  1. Execute SU53 output and find out the authoirzation check failed. If yes, please send that to BASIS Team.
  2. Next one, switch on the authorization trace in ST01 and ask that user to see that data. if the user is failed with authorization issue. switch off the trace in ST01 and find out the issue.
  Do this way, if it is not successful you can go for any other alternate way.
  Hope this would help you.

• On my iPhone 5 (since activating with iTunes Match), I CAN NOT see all my music. There are artists that I can not see, nor their songs. BUT I can see them on the iPad3 and on iTunes on my PC.

  I can NOT see all my songs on iPhone5 since activating iTunes Match about a week ago!
  ALL songs are available on my iPad3
  ALL songs are available on my Win7 computer iTunes
  I just did:
  Transfer purchases from iPhone and a Music Sync
  NOTHING. Tunes and artists are still NOT SHOWING on my iPhone5\
  BUYING another copy makes it available on te iPhone, but at double the price
  However, some show as PURCHASED, so I can't get another copy on the iPhone
  There are MAJOR PROBLEMS with iTUNES MATCH!
  This problems is ONLY on the iPhone 5

  It might take a while (30 minutes or more) for the initial sync to finish.
  When it finishes, here's how to see all you desktop bookmarks:
  # Press the "Search" button on your Android phone, or tap in the Firefox address bar.
  # Press the "Bookmarks" button (with a star icon).
  # Tap the "Desktop Bookmarks" folder.

• Not able to open active directory user and computer in windows server 2008r2

  Hi All techies,
  i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
  computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
  Please let me know the cause of it and really appreciate it .
  Thanks
  Atul

  You need to ensure that
  1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
  2. DNS record exists for all DCs in DNS
  3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
  As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
  - Sarvesh Goel - Enterprise Messaging Administrator

• Building a Basic Runbook to disable a Active Directory User who has not logged in for 90 days.

  I am new to Orchestrator.  I am using Orchestrator 2012 R2 on a Hyper-V running Server 2008.  I have been trying to set up a Runbook to sweep AD for user accounts that have not logged in for 90 days and have those accounts automatically disabled
  and moved to another OU.  However, I would be happy just to have the account just be disabled.  If you need any more info or I have posted in the wrong forum, please let me know.  
  Thanks

  Hi,
  there is no SCO Activity to do this.
  Problem with this is, the LastLogedOn Times are not synced between DomainControllers.
  Best will be you take a look at this PowerShell Script
  http://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  and change it to your needs
  Seidl Michael | http://www.techguy.at |
  twitter.com/techguyat | facebook.com/techguyat

• Can not see TC hard driver using istat pro or activity monitor

  I upgraded the firmware of TC to 7.4.1 yesterday, but I found the transfer speed was too slow and I noticed that I can not see the TC condition using istat pro or activity monitor. So I downgraded the firmware to 7.3.2. Now the transfer speed is fine but I still can not see the TC hard driver in the istat pro or activity monitor.(but I can access files in the TC hard driver normally)
  Can anyone help?

  I couldn't see my TC hard drive in iStat pro until I actually mounted the TC's Airport Disk using the Finder 'Connect to server' dialog. iStat Pro only gives me Used and Free GB for my Airport Disk. My TC is an old 500GB upgraded to 1TB running 7.4.2 firmware.
  As to checking the temperature, I'd be interested too. I have a digital thermometer taped to the top surface of the TC and it is reading 46C with an ambient of 17C. The TC sits on top of a cupboard with clear space around, and I am resting it on a spacer which lifts it 12mm clear of the cupboard to give it the best ventilation. The TC has been doing a long (08:00 - 21:00) Time Machine backup today.
  Sayling

• HT1937 Hi few days ago I bought a second hand iphone 5 white 64 gb, and when I try to activate it I see the following message: "This iPhone can not be activated for service.please contact your carrier or AppleCare"

  Hi few days ago I bought a second hand iphone 5 white 64 gb, and when I try to activate it I see the following message: "This iPhone can not be activated for service.please contact your carrier or AppleCare"

  So then do what it says...contact Apple or your wireless carrier.
  However your phone is probably locked to another carrier and cannot be used on yours.

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• How to create "folders" in Active Directory Users and Computers?

  Hello Community
      In Windows Server 2008R2 when you go to Active Directory Users and Computer
  you will see icons of folders such as:
      -  Builtin has a folder icon
      - Computers has a folder icon
      - ForeignSecurityPrinicpals has a folder icon
      - Domain Controller as a folder icon
      - Managed Service Accounts has a folder icon
      - Users has a folder icon
      All of the above folders are visually identical.
      If you right click and select “File” –  “New”
   on any of the selections the icon
  will not look like the folder icon they have their own icons which look different
  from the "Folder" icon.
      I would like to create a “Folder” that looks just visually exactly like the ones
  mentioned above, how can I create those types of Folders in Active Directory User
  and Computers?
      Note: I would like to put users in the folders.
      Thank you
      Shabeaut

  Hi,
  you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
  The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
  Refer: Delegating Administration by Using OU Objects
  http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx   
  and the sub-articles:
  Administration of Default Containers and OUs
  http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
  Delegating Administration of Account and Resource OUs
  http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
  Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)