Removing an 1 way trust Active Directory Domain from SearchActiveDirectoryDomains
One of our AD domains is being retired. After configuration for both, we need to change to only point to one domain. Is running the following advisable to fix?
stsadm
-o setapppassword
-password ******
stsadm
-o setproperty
-pn peoplepicker-searchadforests
-pv "domain:***.**.*****.**.***,TDC\***********,**********"
-url http://url
iisreset
/noforce
Thank you,
Mark
Hi,
According to your post, my understanding is that you wanted to remove an one way trust Active Directory Domain from SearchActiveDirectoryDomains.
People Picker will only query the forests or domains that you specify in the
peoplepicker-searchadforests property setting.
To specify the forests or domains to be queried together with the credentials, type the following command:
stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv
<Valid list of forests or domains, Login name, Password> -url
<Web application URL>
More information:
Configure People Picker in SharePoint 2013
All you want to know about People Picker in SharePoint ( Functionality | Configuration
| Troubleshooting )
Thanks,
Jason
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Jason Guo
TechNet Community Support
Similar Messages
-
Forest trust unable to find Active Directory Domain Controller
I have two domains with a two-way forest trust. We'll call them ForestA and ForestB. They're on seperate subnets. ForestA's DCs are in one physical location. ForestB's DCs are in two locations, one of which is shared with A.
I'm unable to route traffic directly from the remote DC in ForestB to the subnet ForestA is on, so I created a new DC in ForestA that sits on the subnet ForestB uses (basically, I can't route between subnets via the wireless bridge between locations, but
can within the same location).
I found this: http://www.neomagick.net/zen/2008/11/30/using-dns-to-force-a-domain-trust-through-a-specific-domain-controller-dc/
I followed the instructions to set the new DC in forest A to be the only one the remote DC in forest B was aware of.
Nslookup ForestA.com resolves correctly to this DC, but I'm unable to validate the trust relationship, getting the error:
"Windows cannot find an Active Directory Domain Controller for the ForestA.com domain. Verify that an AD DC is available and then try again."
I'd appreciate any help.In the event viewer, have you found any event id's that corrospond with this error? Have you ensured all ports required are open? Windows firewall is correctly setup? NIC is properly configured?
Statement below taken from: http://technet.microsoft.com/en-us/library/cc961803.aspx
If you receive the following error, ERROR_NO_LOGON_SERVERS while using the Nltest tool to query the secure channel, this is usually indicative of the inability to find a domain controller for that domain. Run nltest /dsgetdc: < DomainName > : to verify
whether you can locate a domain controller. If you are unable to find a domain controller examine DNS registrations and network connectivity.
ADDS Ports:
http://msdn.microsoft.com/en-us/library/dd772723(v=ws.10).aspx -
Active directory domain services stopped after removing routing and remote access role
Hello everyone;;
I am in deep trouble.. I did install routing and remote access and then lost connection to the server remotely. Then I connected a monitor to the server and removed the role... then it asked me to restart the server . After logging back in I found
all my active directory service has gone... I can see red cross on active directory domain services.. Also I am able to ping other pcs but other pcs cannot ping my server..
However when I go into the active directory services, it shows all services are running except file replication service. I have tried to start that service but it give error 1053 error..
My server in between loses LAN connection... I dont know what is going on.. Please help!!!
My server is win 2008 R2 ser pack 1
Only one DC....
Has fixed ip,
no DNS server running..Hi,
The File Replication Service Start Error 1053 error can be caused by damaged Windows system files. Corrupted system files entries can threaten the well-being of your computer. Many events can result in creating system file errors.
Please refer to the articles below to troubleshoot the issue:
File Replication Service Start Error 1053
http://repairerrors.net/file-replication-service-start-error-1053.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards,
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Have a very recent Lenovo Ideapad Laptop running Windows 8.1. Connected via USB port to HP LaserJet Pro CM1415 frw Color MFP Printer. Was able to print fine nearly 2 weeks ago, but something recently happened - either a new windows or office 2013 update
or perhaps I blew away a certain file by mistake. I can see the printer installed but cannot print to it from anything (Word, Notepad, IE, Firefox etc.). The one thing to note is that usually when I plug or unplug a USB related device, Windows 8.1 recognizes
this and makes a certain chime noise, but with the printer USB cable it never makes that noise - making me think that it never fully recognizes the printer. Also when I select the printer (from within the control panel) and right click for properties (via
admin rights) It never lets me fully connect to it.
I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc. Its really annoying because this printer was working fine nearly 2
weeks ago. Looking for any advice now. Thanks.
-ChrisHi Chris,
à
I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc.
I noticed that you had reinstalled the printer. Just a confirmation, when un-install this printer, please check
if this printer still exist in registry. For more details, please refer to following KB.
Registry entries for printing
If printer entry still exist in registry, please delete that printer entry and re-install this printer again,
then check if this issue still exists. (Please backup registry entries before operating registry. It will help us to avoid unexpected issue.)
àand now see
message Active Directory Domain Services is not available
By the way, would you please let me know where/when get this
Active Directory Domain Services is not available error message? Or provide a screenshot of it?
(Please hide all protected or private information) Please check if all services are running correctly on the computer. Meanwhile, please refer to following article and check if can help you.
Printer
Problem: Active Directory Domain Services is currently unavailable – Why does windows say no printers are installed?
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
How to install Small Business Server 2008 in an existing Active Directory domain
It is shown on this page:
http://support.microsoft.com/kb/884453, "How to install Small Business Server 2003 in an existing Active Directory domain".
Is it possible to do this with SBS2008 ?
If "YES", are there any published information about the procedure ?Yes, it is. Thank you very much.
But there is something that confuses me - I want to migrate from Win2003Std to SBS2008. And also, I want to keep the existing Win2003Std as a second DC for a long time.
But it is written in the shown article:
... After the migration is finished, you must remove the Source Server from the network within 21 days. ...
Is this rule mandatory for the scenarios where the Source Server is Std, not SBS ? As I know, I can have more than one DC(Win2003Std/Win2008Std) together with SBS2003. But what about SBS2008 ? -
Hi everyone,
I've been banging my head against this for a while and hope someone can help me.
Running Windows Server 2008 R2 Standard with Service Pack 1.
When I try to add the Active Directory Domain Services role to the server it gets to about 90% complete and then dies.
The ServerManager.log shows the following information, I have run the System Readiness Tool - output below - with no errors found.
At a loss on what to do next. The only other links I've found suggest rebuilding the server which I would really like to avoid...
Help appreciated,
John
ServerManager.log (extract)
==========
name : Active Directory Domain Services
state : Changed
rank : 1
sync tech: CBS
guest[1] : Active Directory Domain Controller
guest[2] : Identity Management for UNIX
ant. : empty
pred. : empty
provider : null
name : Active Directory Domain Controller
state : Changed
rank : 4
sync tech: CBS
ant. : .NET Framework 3.5.1
pred. : Active Directory Domain Services, .NET Framework 3.5.1
provider : Provider
8720: 2012-01-18 10:54:41.853 [Sync] Calling sync provider of Active Directory Domain Controller ...
8720: 2012-01-18 10:54:41.853 [Provider] Sync:: guest: 'Active Directory Domain Controller', guest deleted?: False
8720: 2012-01-18 10:54:41.853 [Provider] Begin installation of 'Active Directory Domain Controller'...
8720: 2012-01-18 10:54:41.853 [Provider] Install: Guest: 'Active Directory Domain Controller', updateElement: 'DirectoryServices-DomainController'
8720: 2012-01-18 10:54:41.853 [Provider] Installation queued for 'Active Directory Domain Controller'.
8720: 2012-01-18 10:54:41.853 [CBS] installing 'DirectoryServices-DomainController ' ...
8720: 2012-01-18 10:54:42.399 [CBS] ...parents that will be auto-installed: 'NetFx3 '
8720: 2012-01-18 10:54:42.399 [CBS] ...default children to turn-off: 'WCF-HTTP-Activation '
8720: 2012-01-18 10:54:42.415 [CBS] ...current state of 'DirectoryServices-DomainController': p: Staged, a: Staged, s: UninstallRequested
8720: 2012-01-18 10:54:42.415 [CBS] ...setting state of 'DirectoryServices-DomainController' to 'InstallRequested'
8720: 2012-01-18 10:54:42.430 [CBS] ...current state of 'NetFx3': p: Installed, a: Installed, s: InstallRequested
8720: 2012-01-18 10:54:42.430 [CBS] ...skipping 'NetFx3' because it is already in the desired state.
8720: 2012-01-18 10:54:42.430 [CBS] ...current state of default child 'WCF-HTTP-Activation': p: Installed, a: Installed, s: InstallRequested
8720: 2012-01-18 10:54:42.430 [CBS] ...skipped child 'WCF-HTTP-Activation' because it is already installed
8720: 2012-01-18 10:54:42.461 [CBS] ...'DirectoryServices-DomainController' : applicability: Applicable
8720: 2012-01-18 10:54:42.461 [CBS] ...'NetFx3' : applicability: Applicable
8720: 2012-01-18 10:54:42.539 [CbsUIHandler] Initiate:
8720: 2012-01-18 10:54:42.539 [InstallationProgressPage] Installing...
8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Verifying installation...
8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Installing...
8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Error: -2147021879 :
8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Terminate:
8720: 2012-01-18 10:55:03.787 [InstallationProgressPage] Verifying installation...
8720: 2012-01-18 10:55:03.802 [CBS] ...done installing 'DirectoryServices-DomainController '. Status: -2147021879 (80070bc9)
8720: 2012-01-18 10:55:03.818 [Provider] Skipped configuration of 'Active Directory Domain Controller' because install operation failed.
8720: 2012-01-18 10:55:03.818 [Provider]
[STAT] ---- CBS Session Consolidation -----
[STAT] For
'Active Directory Domain Controller'[STAT] installation(s) took '21.9535541' second(s) total.
[STAT] Configuration(s) took '0.0007754' second(s) total.
[STAT] Total time: '21.9543295' second(s).
8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Result - Success: False, RebootRequired: True, Id: 110
8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Message - OperationKind: Install, MessageType: Error, MessageCode: -2147021879, Message: <null>, AdditionalMessage: The requested operation failed. A system reboot is required to roll back changes made
8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Sync operation completed
8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Performing post install/uninstall discovery...
8720: 2012-01-18 10:55:03.833 [Provider] C:\Windows\system32\ServerManager\Cache\CbsUpdateState.bin does not exist.
8720: 2012-01-18 10:55:03.833 [CBS] IsCacheStillGood: False.
8720: 2012-01-18 10:55:04.333 [CBS] >>>GetUpdateInfo--------------------------------------------------
8720: 2012-01-18 10:55:34.784 [CBS] Error (Id=0) Function: 'ReadUpdateInfo()->Update_GetInstallState' failed: 80070bc9 (-2147021879)
8720: 2012-01-18 10:55:34.784 [CBS] <<<GetUpdateInfo--------------------------------------------------
8720: 2012-01-18 10:55:34.815 [DISCOVERY] hr: -2147021879 -> reboot required.
8720: 2012-01-18 10:55:34.831 [InstallationProgressPage] About to load finish page...
8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Loading finish page
8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Finish page loaded
CheckSUR.log
=================================
Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 13.0
2012-01-18 10:33
Checking Windows Servicing Packages
Checking Package Manifests and Catalogs
Checking Package Watchlist
Checking Component Watchlist
Checking Packages
Checking Component Store
Summary:
Seconds executed: 220
No errors detectedHi John,
Thanks for posting.
Performed some research and some results say that this problem can be caused by HD Write Caching.
To disable Write Caching:
1. Go to Device Manager.
2.Click the plus sign (+) next to the Disk Drives branch to expand it.
3.Right-click the drive on which you want to enable or disable disk write caching, and then click Properties.
4.Click the Disk Properties tab.
5.Click to select or clear the Write Cache Enabled check box as appropriate.
6.Click OK.
If no luck, Please check if any erros can be found in Event log, Dcpromoui.Log and Dcpromo.log
The following articles maybe helpful to you:
Known Issues for Installing and Removing AD DS
http://technet.microsoft.com/en-us/library/cc754463(v=WS.10).aspx
You cannot install Active Directory Domain Services
http://support.microsoft.com/kb/975142
Thanks
ZHANG -
Findings:
Currently, Windows 2012 R2 AD DS role and RDS With Broker services can only seem to coexist properly in a new domain not an existing domain. Any attempt to add to an existing domain causes internal database user access denied issues and any attempt to
adjust rights and circumvent is dubious at best.
The escalation technician said it best. Out of 50 clients that want to do this, they end up not being able to help 5 right off the bat for whatever reason. As for the other 40 they might be able to help by running reports, adjusting rights and trying to add
the roles until it works. This can end up being a 20 day process. Basically they are playing whack-a-mole with user rights and permissions until something sticks.
We tried creating an OU where any other domain policies would not be inherited to see if that was the issue, a fresh install with different sequence of adding the Roles, no effect.
Given the errors I witnessed when running procmon and then trying to add the roles, the NT System and the Windows Internal database user had access denied issues on 100+ registry keys when trying to add the roles. After that the system is not behaving normally.
The errors displayed almost mirror the errors that would occur on Windows 2012 when those two roles would be added which of course is officially NOT supported on that system.
This blog needs serious revision:
http://blogs.msdn.com/b/rds/archive/2013/07/09/what-s-new-in-remote-desktop-services-for-windows-server-2012-r2.aspx
This is the excerpt from that blog: Single server RDS deployment including Active Directory. We now support running our RD Connection Broker role service on the same physical instance as an Active Directory Domain Controller. In addition, we published
guidelines for how RD Session Host could be used without the RD Connection Broker.
Microsoft Support was curteous and helpful and they were the ones who advised cutting our losses, which mirrored my hunch after seeing what was transpiring in the system. They refunded my money for the support call.
For me, it was an opportunity to find out if there was any way to configure Windows 2012 R2 in the Same manner that it was setup as Windows 2008 R2 and lay that to rest. The coexistence is poorly implemented. It is as if there was a reaction from all the deprecation
of bread and butter features such as shadowing in TS and the coexistence of AD DS and RDS to where those features were re-added haphazardly. (I have no complaints on shadowing on Windows 2012 R2 it works, just do not like having to go to server manager to
use it).
I opted for virtualizing the Domain controller to eliminate the incompatibility issues and that is what I will be doing from now on. I found free solutions for backing up and reporting for virtual machines as well as the suggested procedures for configruing
a Domain controller as a virtual machine on a Hyper-V environment and I will be sticking to those. Thus far the setup has been operational.
I am not allergic to virtualization, but for really small setups it adds additional time and considerations but if that is how it has to be done, so be it. Windows 2008 R2 days are numbered and since we can usually squeeze 5-7 years on quality server equipment,
buying a Windows 2008 R2 setup now is a borderline disservice in my opinion.
Hopefully someone finds this useful and saves some time.Hi,
Thank you for posting in Windows Server Forum.
Do you need any other assistance?
Based on your description, you are describing your story of successfully implementing RDS server with AD role and more regarding all RDS related scenario. For shadowing feature, you can use with command also. Below is the syntax to shadow a session.
mstsc /v:<ServerName> /shadow:<SessionID>
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
Cannot Print. "The Active Directory Domain Services is currently unavailable"
Hi there
I cannot print and I have not been able to find the fix via existing forum threads.
System:
Win 7 Ultimate 64 bit German - Profile language is Danish (installed a week ago and completely windows updated)
Office 365 Small Business Premium
HP DV8 Laptop. i7, 512GB SSD, 8GB RAM
HP LaserJet P1006 USB printer.
Problem
No matter if I try to print from IE, Notebook, Word 2013 or anything else, I cannot chose my printer (P1006).
If I try to Add Printer in Word 2013, I get the "The Active Directory Domain Services is currently unavailable" error.
In Devices and Printers, the P1006 is visible, but there is no driver installed.
Trying to install the correct driver:
http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=3435683&prodTypeId=18972&prodSeriesId=3435682&swLang=8&taskId=135&swEnvOID=4063
only creates a general error during installation: "Printer Software Installer has stopped working - A problem has caused the program to stop working correctly. Windows closes the program and will notify you if a solution has been found"
I have tried all the solution software from Windows, from HP (for the laptop and for the printer) - but nothing comes up with any details or suggestions.
What should I try?
Absolutely everything else works perfectly on the system.
Reffered here via http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/cannot-print-the-active-directory-domain-services/1cf47626-a2cd-4b7a-94b6-10cbc8ab02b0Hi,
I suggest you try the following:
1. Try the steps in the following article:
Troubleshoot printer problems
http://windows.microsoft.com/en-US/windows-vista/Troubleshoot-printer-problems
Fix printing problems by resetting the print spooler
http://support.microsoft.com/kb/2000007
2. Let us try updating the printer driver which might help you in resolving the issue.
Click on the link below for more information on updating the printer drivers.
Find and install printer drivers
http://windows.microsoft.com/en-US/windows-vista/Find-and-install-printer-drivers
3. Remove the printer and add it again:
Go to Control Panel
Select Printers
Right-click on Add Printer
Select Run as Administrator
Now try to add your network printer
Also a thread for your reference:
Error message when attempting to print: Active Directory Domain Service is Currently Unavailable
http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/d6212275-24d6-4168-830a-9441f861cb76
Hope this helps.
Vincent Wang
TechNet Community Support -
Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication
I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.
What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.
Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?
Any suggestions or help is greatly appreciated. Thanks,Hi g-pirtle,
Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.
I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.
Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...
Thanks again, -
Hello.
We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
In Events I can see these messages:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 04.03.2014 12:37:58
Event ID: 1173
Task Category: Internal Processing
Level: Warning
Keywords: Classic
User: domain\admin
Computer: NODE2.domain.example
Description:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
c0000005
Parameter:
0
Additional Data
Error value:
7ffc7c38e45d
Internal ID:
0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768">1173</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
<EventRecordID>881</EventRecordID>
<Correlation />
<Execution ProcessID="572" ThreadID="2580" />
<Channel>Directory Service</Channel>
<Computer>NODE2.domain.example</Computer>
<Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
</System>
<EventData>
<Data>c0000005</Data>
<Data>7ffc7c38e45d</Data>
<Data>0</Data>
<Data>0</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 04.03.2014 12:37:58
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="49152">1015</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189578</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>c0000005</Data>
</EventData>
</Event>
Log Name: Application
Source: Application Error
Date: 04.03.2014 12:37:58
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x23c
Faulting application start time: 0x01cf3773fe973e1b
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189576</EventRecordID>
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>lsass.exe</Data>
<Data>6.3.9600.16384</Data>
<Data>5215e25f</Data>
<Data>ntdsai.dll</Data>
<Data>6.3.9600.16421</Data>
<Data>524fcaed</Data>
<Data>c0000005</Data>
<Data>000000000019e45d</Data>
<Data>23c</Data>
<Data>01cf3773fe973e1b</Data>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>C:\Windows\system32\ntdsai.dll</Data>
<Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>
In node2 we installed all available updates and hotfixes.Hi Azamat Hackimov,
Regarding to error messages, it seems that the
ntdsai.dll file caused the issue. Based on current situation, please use
sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
to the following KB.
How to read the small dump memory dump file that is created by Windows if a crash occurs.
http://support.microsoft.com/kb/315263/en-us
By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu -
Install software on multiple client computers in active directory domain win 2008 R2
We have a Windows Server 2008 R2 Active Directory Domain. We will be getting a few new Windows 7 computers that we will need to install all our proprietary software on, and don't want to have to install all programs, including windows
updates, individually, on each machine individually.
Is there a (as simple as possible) way to maybe create an image from a "master client computer" with all software, windows updates etc. and push out to the clients.
Also to create a boot disc with the image in case a hard drive fails and we have to replace it.
* It's not Windows we want to install here (unless we replace a hard drive) but for now, the clients already have windows 7, and we want to install antivirus, Adobe reader, windows updates, and our proprietary software.
ThanksIs there a (as simple as possible) way to maybe create an image from a "master client computer" with all software, windows updates etc. and push out to the clients.
Windows deployment services http://technet.microsoft.com/en-us/windowsserver/dd448616.aspx for an image
it's not Windows we want to install here (unless we replace a hard drive) but for now, the clients already have windows 7, and we want to install antivirus, Adobe reader, windows updates, and our proprietary software.
https://support.microsoft.com/kb/816102?wa=wsignin1.0 msi deployment via gpo - (can be restrictive) if not a script or psexec
for windows updates use WSUS -
Cisco ISE 1.2 and 2 Active Directory Domains
Hi Support,
does anyone know whether I can perform Certificate Authentication for two different Active Directory domains using the same ISE host / deployment?
We have two forests with a trust link between them.
We have a seperate PKI in each domain.
I am thinking that the ISE can only be joined to a single domain, but because we have a trust between the two forests, the ISE can have two certificate profiles in an identity source sequence which can then use in a single authorisation policy.
I take it that I would need local certs from each CA in the local certificate store of the ISE?
We are performing a company merger and we cannot migrate users to the primary AD domain due to several reasons so we would like to use the same ISE deployment to authenticate Wireless users on both AD domains.
Thanks
MarioMario,
This is possible. Here are the guidelines for the Multi-Forest support in ISE 1.2:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1350874
You would have to set a new Certificate Authentication Profile for each domain and use the Authentication Policies to determine which of the Certificate Authentication Profiles to use.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1349174
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
is not available.
Help please!Hi,
As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC.
If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
are different site then check the ports are open on firewall.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
If issue reoccurs, post dcdiag /q result.
NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
Active Directory Metadata Cleanup
http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights. -
Can OS X 10.9 Authenticate An Active Directory User From A Different Trusted Forest
I am able to authenticate with an AD account from a different trusted domain in the same forest as the domain the client is bound to on OS X 10.9. An AD account from a trusted domain in a separate forest cannot authenticate on the same client. The same AD account from the same external trusted domain in the same external forest can authenticate to a Windows 7 client bound to the same domain as the Mac client. It seems that OS X is incapable of cross forest authentication. It seems as though the directory services search path only includes the forest of the domain the client is bound to. Windows clients seem to be able to handle the referral process to a different forest, but a Mac client does not. Am I correct in this assumption? Has anyone accomplished cross forest authentication on an OS X client? If so, how? If not, what is the reason this can't be done?
Well, I’ve made some encouraging progress.
I’ve managed to log on!
I deleted /var/db/.AppleSetupDone while booted into the recovery volume. I then created a new local admin user and, after a much longer than usual delay, got through the account creation stuff and arrived at last in the Finder, which was sluggish as heck.
Checked user accounts, and according to system prefs they’re all there. Fired up Activity monitor and found that opendirectoryd was consuming 365%-405% CPU.
I unbound the system from our Active Directory domain, not really expecting it to work but it did. cpu load dropped to nothing.
I rebooted, was able to log in as the original local admin user (woohoo! Progress!)
Re-bound it to AD and boom CPU shot right back up.
I unbound it again and am currently backing up the drive with CCC (conversation with professor yesterday “Time Machine? What’s Time Machine?”)
If CCC dies, I’ll run DW on the original, but I’m now pretty sure my issue is a borked opendirectory database.
Plan going forward:
I’ll nuke&pave the iMac, restore the apps, but NOT users and computer settings from the CCC during the re-install, create a new local admin, re-bind to AD see what happens.
If it doesn’t go nutz again, I’ll have him log on so it creates the local directory, copy over his original user directory from the backup drive, make it his actual home on the disk again and in theory he should be ok.
It’s amazing how often just laying my problem out in public makes my brain think of new things to try :-)
I don't know if this is directly applicable to an OpenDirectory-bound system rather than Active Directory, but it might work for you. -
Working with XServe in Active Directory Domain
I'm starting to lose my mind. Is anyone else working with an XServe in a strictly Active Directory domain? Im essentially using it as an FTP and SMB file server. All sorts of weird stuff happens out of the blue like, all of a sudden today I can no longer log in to the Local Admin account no matter what I do (I've reset the password, tried logging in automatically). Root account no longer lets me in...the only way I can get in is to log in as a Domain admin YET, if I log into the server through Workgroup Manager or Server Admin with the credentials for Local Admin, I get in just fine. What gives? It feels like there's major permissions screwiness going on...
And earlier, file sharing permissions just weren't working no matter what permissions I gave to who. It is driving me nuts.
Anyway, if anyone has ANY wisdom to impart re: using XServe to manage files, FTP, etc... in Active Directory I would love to hear it: tips, stories, experiences, resources, how to's etc...
ThanksThis area is more for the XServe hardware, you need to post in the Mac OS X Server software section, as the OS can run on more than just hardware, hence the software category.
Maybe you are looking for
-
Java Web Start Version 1.0 doesn't found installed JRE
I would like to try some demos from http://java.sun.com/products/javawebstart/demos.html After I clicked on image receive next page with message "In order to launch the requested application, you will need to download Java Web Start Version 1.0 - Thi
-
Creating Change Document for Custom Field in Table PROJ
Hi, We have a few Custom Fields in Table PROJ. What needs to be done so that every time a particular custom field is changed, change document in table CDHDR and CDPOS are created. Regards, Tarun Bahal
-
Hi Does anyone has a vbscript to create AD OU structure from text file. Regards Sushain KApoor
-
How can i open photoshop in creative cloud
how can i open photoshop in creative cloud
-
please tell how to set different pictures for different client in the same system