Re: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account
Nothing specific, but I think you can say that the Exchange-enhanced ADUC is trying to do something it doesn't need to do. You have a better answer which is to give the user a different tool. Trying to remember if the Outlook tools allow you to manage the groups (I believe they will if you have the rights and you use a GC from the same domain that Exchange is in.) ADUC for what they want to do is a bit heavy, and it looks like you have an unneccessary process going on in the background. You may also want to check that the Exchange bits are the latest available. Al On 5/22/06, David Cliffe [EMAIL PROTECTED] wrote: Hi, In an environment running Exchnage 2003 SP1 under Windows 2003 SP1...I've delegated WP (write property) on the member attribute of a mail-enabled distribution list to a specific user. That user is nowable to modify the members of the group via ADUC (the change does get applied), but a dialog pops up on the screen which reads as follows: Window Title = Microsoft Active Directory - Exchange Extension Window Text =Access denied. Facility: LDAP Provider ID no: 80070005 Microsoft Active Directory - Exchange Extension In addition,the DC where this change is made logs the following event in the security log: Event Type:Failure AuditEvent Source:SecurityEvent Category:Directory Service Access Event ID:566Date:5/19/2006Time:4:48:52 PMUser:DOMAIN\End.User Computer:DomainControllerDescription:Object Operation:Object Server:DSOperation Type:Object AccessObject Type:groupObject Name:CN=DistributionList,OU=Exchange,DC=company,DC=com Handle ID:-Primary User Name:DomainController$Primary Domain:DOMAINPrimary Logon ID:(0x0,0x3E7)Client User Name:End.UserClient Domain:DOMAINClient Logon ID:(0x0,0x7C51DB79) Accesses:Write Property Properties:---Public InformationproxyAddressesgroup Additional Info:Additional Info2:Access Mask:0x20 Would anyone know why this operation is trying to modify the proxyAddresses attribute in the Public Infomation property set? I was hoping to not have to grant WP on any other attributes for this task. If I use the delegated account to modify the member attribute of thisgroup object using a tool other than ADUC, it is successfulwithout generating any error messages. I first posted this on the Exchange list at Yahoo and received a good suggestion to check the backlink [memberOf attribute] of the user object being modified to make sure that it listed this group after a test modification. It does. So again,seems everything works but still get the popup. Thanks for your time, DaveCTo find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account
Outlook does indeed let you manage groups if, in ADUC, you tick the check box "Manager can update membership list" and you define a manager of the list (on the "Managed By" tab). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, May 22, 2006 1:21 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account Nothing specific, but I think you can say that the Exchange-enhanced ADUC is trying to do something it doesn't need to do. You have a better answer which is to give the user a different tool. Trying to remember if the Outlook tools allow you to manage the groups (I believe they will if you have the rights and you use a GC from the same domain that Exchange is in.) ADUC for what they want to do is a bit heavy, and it looks like you have an unneccessary process going on in the background. You may also want to check that the Exchange bits are the latest available. Al On 5/22/06, David Cliffe [EMAIL PROTECTED] wrote: Hi, In an environment running Exchnage 2003 SP1 under Windows 2003 SP1...I've delegated WP (write property) on the member attribute of a mail-enabled distribution list to a specific user. That user is nowable to modify the members of the group via ADUC (the change does get applied), but a dialog pops up on the screen which reads as follows: Window Title = Microsoft Active Directory - Exchange Extension Window Text =Access denied. Facility: LDAP Provider ID no: 80070005 Microsoft Active Directory - Exchange Extension In addition,the DC where this change is made logs the following event in the security log: Event Type:Failure AuditEvent Source:SecurityEvent Category:Directory Service Access Event ID:566Date:5/19/2006Time:4:48:52 PMUser:DOMAIN\End.User Computer:DomainControllerDescription:Object Operation:Object Server:DSOperation Type:Object AccessObject Type:groupObject Name:CN=DistributionList,OU=Exchange,DC=company,DC=comHandle ID:-Primary User Name:DomainController$Primary Domain:DOMAINPrimary Logon ID:(0x0,0x3E7)Client User Name:End.UserClient Domain:DOMAINClient Logon ID:(0x0,0x7C51DB79)Accesses:Write Property Properties:---Public InformationproxyAddressesgroup Additional Info:Additional Info2:Access Mask:0x20 Would anyone know why this operation is trying to modify the proxyAddresses attribute in the Public Infomation property set? I was hoping to not have to grant WP on any other attributes for this task. If I use the delegated account to modify the member attribute of thisgroup object using a tool other than ADUC, it is successfulwithout generating any error messages. I first posted this on the Exchange list at Yahoo and received a good suggestion to check the backlink [memberOf attribute] of the user object being modified to make sure that it listed this group after a test modification. It does. So again,seems everything works but still get the popup. Thanks for your time, DaveCTo find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account
The Exchange GUIs (and many MSFT GUIs) are traditionally bad with this kind of stuff.The GUIs will suprisingly often require more permissions than you really need to do things because they aren't necessarilly doing the work correctly. On the flip side MSFT likes to try and enforce security in the GUIs at times too like for instance Exchange and mailbox enabling users (in order to mailbox enable a user in ADUC with the ESM addon you need Exchange view, in reality, you don't need Exchange View) or like in the old user manager which wouldn't let non admins see the administrator group membership but every other tool did. When you delegate, you usually want to step away from using ADUC and ESM because you will end up giving out more rights than necessary just to make the GUIwork "normal". joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Monday, May 22, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account Hi, In an environment running Exchnage 2003 SP1 under Windows 2003 SP1...I've delegated WP (write property) on the member attribute of a mail-enabled distribution list to a specific user. That user is nowable to modify the members of the group via ADUC (the change does get applied), but a dialog pops up on the screen which reads as follows: Window Title = Microsoft Active Directory - Exchange Extension Window Text =Access denied. Facility: LDAP Provider ID no: 80070005 Microsoft Active Directory - Exchange Extension In addition,the DC where this change is made logs the following event in the security log: Event Type:Failure AuditEvent Source:SecurityEvent Category:Directory Service Access Event ID:566Date:5/19/2006Time:4:48:52 PMUser:DOMAIN\End.UserComputer:DomainControllerDescription:Object Operation:Object Server:DSOperation Type:Object AccessObject Type:groupObject Name:CN=DistributionList,OU=Exchange,DC=company,DC=comHandle ID:-Primary User Name:DomainController$Primary Domain:DOMAINPrimary Logon ID:(0x0,0x3E7)Client User Name:End.UserClient Domain:DOMAINClient Logon ID:(0x0,0x7C51DB79)Accesses:Write Property Properties:---Public InformationproxyAddressesgroup Additional Info:Additional Info2:Access Mask:0x20 Would anyone know why this operation is trying to modify the proxyAddresses attribute in the Public Infomation property set? I was hoping to not have to grant WP on any other attributes for this task. If I use the delegated account to modify the member attribute of thisgroup object using a tool other than ADUC, it is successfulwithout generating any error messages. I first posted this on the Exchange list at Yahoo and received a good suggestion to check the backlink [memberOf attribute] of the user object being modified to make sure that it listed this group after a test modification. It does. So again,seems everything works but still get the popup. Thanks for your time, DaveCTo find out more about Reuters visit www.about.reuters.comAny views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account
Most likely I'll use that "Manager can update" attribute and have him do this via Outlook. The end user previously had ADUC for this when permissions werealso 'abit heavy'(!), so I didn't even have that in mind at first, and then of course I got curious about the errors... Thanks for your comments guys! -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, StevenSent: Monday, May 22, 2006 1:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account Outlook does indeed let you manage groups if, in ADUC, you tick the check box "Manager can update membership list" and you define a manager of the list (on the "Managed By" tab). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, May 22, 2006 1:21 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account Nothing specific, but I think you can say that the Exchange-enhanced ADUC is trying to do something it doesn't need to do. You have a better answer which is to give the user a different tool. Trying to remember if the Outlook tools allow you to manage the groups (I believe they will if you have the rights and you use a GC from the same domain that Exchange is in.) ADUC for what they want to do is a bit heavy, and it looks like you have an unneccessary process going on in the background. You may also want to check that the Exchange bits are the latest available. Al On 5/22/06, David Cliffe [EMAIL PROTECTED] wrote: Hi, In an environment running Exchnage 2003 SP1 under Windows 2003 SP1...I've delegated WP (write property) on the member attribute of a mail-enabled distribution list to a specific user. That user is nowable to modify the members of the group via ADUC (the change does get applied), but a dialog pops up on the screen which reads as follows: Window Title = Microsoft Active Directory - Exchange Extension Window Text =Access denied. Facility: LDAP Provider ID no: 80070005 Microsoft Active Directory - Exchange Extension In addition,the DC where this change is made logs the following event in the security log: Event Type:Failure AuditEvent Source:SecurityEvent Category:Directory Service Access Event ID:566Date:5/19/2006Time:4:48:52 PMUser:DOMAIN\End.User Computer:DomainControllerDescription:Object Operation:Object Server:DSOperation Type:Object AccessObject Type:groupObject Name:CN=DistributionList,OU=Exchange,DC=company,DC=comHandle ID:-Primary User Name:DomainController$Primary Domain:DOMAINPrimary Logon ID:(0x0,0x3E7)Client User Name:End.UserClient Domain:DOMAINClient Logon ID:(0x0,0x7C51DB79)Accesses:Write Property Properties:---Public InformationproxyAddressesgroup Additional Info:Additional Info2:Access Mask:0x20 Would anyone know why this operation is trying to modify the proxyAddresses attribute in the Public Infomation property set? I was hoping to not have to grant WP on any other attributes for this task. If I use the delegated account to modify the member attribute of thisgroup object using a tool other than ADUC, it is successfulwithout generating any error messages. I first posted this on the Exchange list at Yahoo and received a good suggestion to check the backlink [memberOf attribute] of the user object being modified to make sure that it listed this group after a test modification. It does. So again,seems everything works but still get the popup. Thanks for your time, DaveCTo find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account
Thanks. I suspectedthiswhen both DSMODand ADMODmodified the object without error during testing. We'd rather go with the principal of least privilege! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 22, 2006 2:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account The Exchange GUIs (and many MSFT GUIs) are traditionally bad with this kind of stuff.The GUIs will suprisingly often require more permissions than you really need to do things because they aren't necessarilly doing the work correctly. On the flip side MSFT likes to try and enforce security in the GUIs at times too like for instance Exchange and mailbox enabling users (in order to mailbox enable a user in ADUC with the ESM addon you need Exchange view, in reality, you don't need Exchange View) or like in the old user manager which wouldn't let non admins see the administrator group membership but every other tool did. When you delegate, you usually want to step away from using ADUC and ESM because you will end up giving out more rights than necessary just to make the GUIwork "normal". joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Monday, May 22, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account Hi, In an environment running Exchnage 2003 SP1 under Windows 2003 SP1...I've delegated WP (write property) on the member attribute of a mail-enabled distribution list to a specific user. That user is nowable to modify the members of the group via ADUC (the change does get applied), but a dialog pops up on the screen which reads as follows: Window Title = Microsoft Active Directory - Exchange Extension Window Text =Access denied. Facility: LDAP Provider ID no: 80070005 Microsoft Active Directory - Exchange Extension In addition,the DC where this change is made logs the following event in the security log: Event Type:Failure AuditEvent Source:SecurityEvent Category:Directory Service Access Event ID:566Date:5/19/2006Time:4:48:52 PMUser:DOMAIN\End.UserComputer:DomainControllerDescription:Object Operation:Object Server:DSOperation Type:Object AccessObject Type:groupObject Name:CN=DistributionList,OU=Exchange,DC=company,DC=comHandle ID:-Primary User Name:DomainController$Primary Domain:DOMAINPrimary Logon ID:(0x0,0x3E7)Client User Name:End.UserClient Domain:DOMAINClient Logon ID:(0x0,0x7C51DB79)Accesses:Write Property Properties:---Public InformationproxyAddressesgroup Additional Info:Additional Info2:Access Mask:0x20 Would anyone know why this operation is trying to modify the proxyAddresses attribute in the Public Infomation property set? I was hoping to not have to grant WP on any other attributes for this task. If I use the delegated account to modify the member attribute of thisgroup object using a tool other than ADUC, it is successfulwithout generating any error messages. I first posted this on the Exchange list at Yahoo and received a good suggestion to check the backlink [memberOf attribute] of the user object being modified to make sure that it listed this group after a test modification. It does. So again,seems everything works but still get the popup. Thanks for your time, DaveCTo find out more about Reuters visit www.about.reuters.comAny views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Error sending Forwards or resend!
Milton, It appears that your organization has a distribution list that the below users are a part of and, as a result, the person who is trying to send to those addresses does not have permissions to send to them and is not part of the allowed group. Check to see what group membership they have and try to match that with the group membership of the one who is trying to send to them. -Shariff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milton Sancho Sent: Friday, May 12, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error sending Forwards or resend! I have a user who is receiving this error when she try to send a FORWARD or RESEND, I do not know what is going on if the user has rights on her mailbox. Beside she has an additional mailbox assigned. Below the message she got! Thanks any comment. Your message did not reach some or all of the intended recipients. Subject: WC BRACKETS Sent: 5/11/2006 5:31 PM The following recipient(s) could not be reached: Edward Pattson on 5/11/2006 5:31 PM You do not have permission to send to this recipient. For assistance, contact your system administrator. MSEXCH:MSExchangeIS:/DC=plc/DC=mun:rd-1211-EX2 [EMAIL PROTECTED] on 5/11/2006 5:31 PM You do not have permission to send to this recipient. For assistance, contact your system administrator. MSEXCH:MSExchangeIS:/DC=plc/DC=corp:rd-1211-EX2 [EMAIL PROTECTED] on 5/11/2006 5:31 PM You do not have permission to send to this recipient. For assistance, contact your system administrator. MSEXCH:MSExchangeIS:/DC=plc/DC=mun:rd-1211-EX2
RE: [ActiveDir] Error while adding user to AD
Thanks Steve. I expect the newer Directory Services piece will do it since it goes straight to LDAP and bypass the ADSI middleman, not sure on the one that stops and has coffee with ADSI though. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Wednesday, June 29, 2005 4:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error while adding user to AD Joe, From the ADSI perspective I have never actually looked into it but I would imagine there is a way to do it since it eventually boils down to an LDAP call. If I get a chance I will see if I can find a sample in ADSI or DirectoryServices.NET. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, June 29, 2005 9:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error while adding user to AD Hi Steve, Been awhile. That last postdid comeacross weird. :o) I should have been clear on the DSID and it changing with binaries if there are line numbering changes in the code, I didn't think to mention it. Thanks for clarifying. For the most part, the DSIDs aren't extremely useful unless you have source access. It generally isn't worth recording DSIDs and mapping them to problems unless you are also including in that map OS info, at the least version and SP level but hotfixes can throw you off as well depending on what got touched. Also thanks for the pointer on decoding that first part of the extended error. I have always wondered what that was but never made the connection to winerror. Now I need to update my code that dumps the extended error info in LDAP calls to actually decode that message as well. It would be useful. Can ADSI be forced to dothis op correctly (i.e. in the correct order)? I can't recall havingseen an example of it. The examples I am aware of are allseveral steps - set basicattribs andsetinfo(), set password set uac and setinfo(). I can create an account with LDAP API and give it a password and have it enabled out of the gate[1]but since I haven't seen ADSIdo it I generally just tell people to do it in a multistep operation as I have no clue why ADSI didn't do it and would rather avoid that question, much easier. Too many people usingADSIand also many people don't know if the tools they are using use ADSI or something else and I would rather avoid all of it. If ADSI *can* do it in a single stepthen I can stop telling people to do multistep ops which in my opinion is much cleaner and faster. Thanks joe [1] In admod you can add a new user to a K3 domain with password hot and ready to go like this (one line) admod -b cn=testuser,cn=users,dc=domain,dc=com -add -kerbenc objectclass::user samaccountname::testuseruseraccountcontrol::512 unicodepwd::testpassword pwdlastset::-1 This won't work in a 2K domain because admod doesn't support SSL yet. It works for K3 (all) because you don't need SSL and because I change the order of how the attributes are submitted to the server. The UAC attribute will always follow the unicodepwd attribute though it was pure dumb luck versus knowing there was an ordering issue. Had I run into the ordering issue I would have been pretty confused I expect. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Wednesday, June 29, 2005 1:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error while adding user to AD Resending do to a formatting error on my part, sorry for the duplicate post but it is much easier to read with the lines wrapped. J -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have
RE: [ActiveDir] Error while adding user to AD
Hi Steve, Been awhile. That last postdid comeacross weird. :o) I should have been clear on the DSID and it changing with binaries if there are line numbering changes in the code, I didn't think to mention it. Thanks for clarifying. For the most part, the DSIDs aren't extremely useful unless you have source access. It generally isn't worth recording DSIDs and mapping them to problems unless you are also including in that map OS info, at the least version and SP level but hotfixes can throw you off as well depending on what got touched. Also thanks for the pointer on decoding that first part of the extended error. I have always wondered what that was but never made the connection to winerror. Now I need to update my code that dumps the extended error info in LDAP calls to actually decode that message as well. It would be useful. Can ADSI be forced to dothis op correctly (i.e. in the correct order)? I can't recall havingseen an example of it. The examples I am aware of are allseveral steps - set basicattribs andsetinfo(), set password set uac and setinfo(). I can create an account with LDAP API and give it a password and have it enabled out of the gate[1]but since I haven't seen ADSIdo it I generally just tell people to do it in a multistep operation as I have no clue why ADSI didn't do it and would rather avoid that question, much easier. Too many people usingADSIand also many people don't know if the tools they are using use ADSI or something else and I would rather avoid all of it. If ADSI *can* do it in a single stepthen I can stop telling people to do multistep ops which in my opinion is much cleaner and faster. Thanks joe [1] In admod you can add a new user to a K3 domain with password hot and ready to go like this (one line) admod -b cn=testuser,cn=users,dc=domain,dc=com -add -kerbenc objectclass::user samaccountname::testuseruseraccountcontrol::512 unicodepwd::testpassword pwdlastset::-1 This won't work in a 2K domain because admod doesn't support SSL yet. It works for K3 (all) because you don't need SSL and because I change the order of how the attributes are submitted to the server. The UAC attribute will always follow the unicodepwd attribute though it was pure dumb luck versus knowing there was an ordering issue. Had I run into the ordering issue I would have been pretty confused I expect. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Wednesday, June 29, 2005 1:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error while adding user to AD Resending do to a formatting error on my part, sorry for the duplicate post but it is much easier to read with the lines wrapped. J -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is: C:\toolserr 052D # for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h # Unable to update the password. The value provided for the # new password does not meet the length, complexity, or # history requirement of the domain. # 1 matches found for "052D" So now that you have read all of this you are saying prove it to me so here are the repro steps that will produce the above error on Windows Server 2003 RTM (note Windows 2000 server was not affected) and of course
RE: [ActiveDir] Error while adding user to AD
Joe, From the ADSI perspective I have never actually looked into it but I would imagine there is a way to do it since it eventually boils down to an LDAP call. If I get a chance I will see if I can find a sample in ADSI or DirectoryServices.NET. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 29, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Hi Steve, Been awhile. That last postdid comeacross weird. :o) I should have been clear on the DSID and it changing with binaries if there are line numbering changes in the code, I didn't think to mention it. Thanks for clarifying. For the most part, the DSIDs aren't extremely useful unless you have source access. It generally isn't worth recording DSIDs and mapping them to problems unless you are also including in that map OS info, at the least version and SP level but hotfixes can throw you off as well depending on what got touched. Also thanks for the pointer on decoding that first part of the extended error. I have always wondered what that was but never made the connection to winerror. Now I need to update my code that dumps the extended error info in LDAP calls to actually decode that message as well. It would be useful. Can ADSI be forced to dothis op correctly (i.e. in the correct order)? I can't recall havingseen an example of it. The examples I am aware of are allseveral steps - set basicattribs andsetinfo(), set password set uac and setinfo(). I can create an account with LDAP API and give it a password and have it enabled out of the gate[1]but since I haven't seen ADSIdo it I generally just tell people to do it in a multistep operation as I have no clue why ADSI didn't do it and would rather avoid that question, much easier. Too many people usingADSIand also many people don't know if the tools they are using use ADSI or something else and I would rather avoid all of it. If ADSI *can* do it in a single stepthen I can stop telling people to do multistep ops which in my opinion is much cleaner and faster. Thanks joe [1] In admod you can add a new user to a K3 domain with password hot and ready to go like this (one line) admod -b cn=testuser,cn=users,dc=domain,dc=com -add -kerbenc objectclass::user samaccountname::testuseruseraccountcontrol::512 unicodepwd::testpassword pwdlastset::-1 This won't work in a 2K domain because admod doesn't support SSL yet. It works for K3 (all) because you don't need SSL and because I change the order of how the attributes are submitted to the server. The UAC attribute will always follow the unicodepwd attribute though it was pure dumb luck versus knowing there was an ordering issue. Had I run into the ordering issue I would have been pretty confused I expect. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, June 29, 2005 1:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Resending do to a formatting error on my part, sorry for the duplicate post but it is much easier to read with the lines wrapped. J -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is: C:\toolserr 052D # for hex 0x52d
RE: [ActiveDir] Error while adding user to AD
Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is:C:\toolserr 052D# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for 052DSo now that you have read all of this you are saying prove it to me so here are the repro steps that will produce the above error on Windows Server 2003 RTM (note Windows 2000 server was not affected) and of course if you run it against Windows Server 2003 SP1 it will be successful:1) Ensure you have a password policy enabled requiring complexity and minimum characters.2) Fire up LDP and connect via SSL to the DC of your choice. 3) Perform a simple bind and then select the User OU of your choice4) Right click and Select Add child, modifying the DN to be the new user you want to create5) Enter the following attributes in this orderobjectclass: top;user;person;organizationalpersonsamaccountname: yourchoiceuseraccountcontrol: 512unicodepwd:\UNI:yourpassword6) Select RUN and you will get the error above on a Windows Server 2003 machine.If you set the useraccountcontrol attribute after the unicodepwd attribute, assuming the password meets the complexity requirements, then it will succeed without throwing an error. Also note that the quotes are needed when specifying the password when using the \UNI: switch which tells LDP to pass the password in Unicode. One provisioning tool that was affected by this issue was HP Openview Select Identity.Thanks,-Steve -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, June 27, 2005 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Error while adding user to ADThanks a lots Joe. I'll try this out.One more query. After I've changed my password policy, they dont seem to bereflected immediately. how can i force it?- Original Message -From: joe [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Tuesday, June 28, 2005 5:38 AMSubject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someoneis trying to set the account enabled in the actual creation of the accountwhen there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MayureshKshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed eventhough our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet
RE: [ActiveDir] Error while adding user to AD
Resending do to a formatting error on my part, sorry for the duplicate post but it is much easier to read with the lines wrapped. J -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is: C:\toolserr 052D # for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h # Unable to update the password. The value provided for the # new password does not meet the length, complexity, or # history requirement of the domain. # 1 matches found for 052D So now that you have read all of this you are saying prove it to me so here are the repro steps that will produce the above error on Windows Server 2003 RTM (note Windows 2000 server was not affected) and of course if you run it against Windows Server 2003 SP1 it will be successful: 1) Ensure you have a password policy enabled requiring complexity and minimum characters. 2) Fire up LDP and connect via SSL to the DC of your choice. 3) Perform a simple bind and then select the User OU of your choice 4) Right click and Select Add child, modifying the DN to be the new user you want to create 5) Enter the following attributes in this order objectclass: top;user;person;organizationalperson samaccountname: yourchoice useraccountcontrol: 512 unicodepwd:\UNI:yourpassword 6) Select RUN and you will get the error above on a Windows Server 2003 machine. If you set the useraccountcontrol attribute after the unicodepwd attribute, assuming the password meets the complexity requirements, then it will succeed without throwing an error. Also note that the quotes are needed when specifying the password when using the \UNI: switch which tells LDP to pass the password in Unicode. One provisioning tool that was affected by this issue was HP Openview Select Identity. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity
RE: [ActiveDir] Error while adding user to AD
This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
Re: [ActiveDir] Error while adding user to AD
Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error while adding user to AD
That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error while adding user to AD
After you set the policy, you have to wait for the policy to be replicated to all DCs in the domain and applied before you get convergence on the new policy rules. Depending on the environment this can take varying amounts of time. If you have only a couple of K3 DCs in a single site and great FRS/AD replication you can set it and then wait a minute and then do a gpupdate /force To force the update of the policy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error while adding user to AD
I expect the policy hasn't completely applied yet. Can you control the process used by the metadirectory software for object creation? If so, have it create the object in the way specified below. The alternative is to create it with the useraccountcontrol flagged to allow the account to not have a password. Then after the initial object create set a password and change useraccountcontrol to 512. I highly recommend creating it disabled and then setting the password and then setting the useraccountcontrol to 512 though. It is more obvious if something gets dropped and not handled properly. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
Thanks a lot Joe, This has been of tremendous help for diagnosing the issue! Grateful to you! Mayuresh. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:32 AM Subject: RE: [ActiveDir] Error while adding user to AD I expect the policy hasn't completely applied yet. Can you control the process used by the metadirectory software for object creation? If so, have it create the object in the way specified below. The alternative is to create it with the useraccountcontrol flagged to allow the account to not have a password. Then after the initial object create set a password and change useraccountcontrol to 512. I highly recommend creating it disabled and then setting the password and then setting the useraccountcontrol to 512 though. It is more obvious if something gets dropped and not handled properly. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail
RE: [ActiveDir] Error in PDC Operations Master
Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site2 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 --- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site1 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: enable inbound REPL 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: rIDAvailablePool: 4611686014132427214 03: rIDAvailablePool: 4611686014132427214 ### -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 31 mei 2005 10:31 To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent
RE: [ActiveDir] Error in PDC Operations Master
Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site2 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 --- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site1 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: enable inbound REPL 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: rIDAvailablePool: 4611686014132427214 03: rIDAvailablePool: 4611686014132427214 ### -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 31 mei 2005 10:31 To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29
RE: [ActiveDir] Error in PDC Operations Master
Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs - 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site2 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 --- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site1 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: enable inbound REPL 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: rIDAvailablePool: 4611686014132427214 03: rIDAvailablePool: 4611686014132427214 ### -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 31 mei 2005 10:31 To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations
RE: [ActiveDir] Error in PDC Operations Master
Something that confuses me in this (and in RID allocation generally) is: Isn't the RIDavailablePool held by the RID master? Is the value replicated among DCs? If it's not, does a DC have to check with the RID master BEFORE it increments this value? (I assume that it would, but I am not sure, especially if the RID master is not available). Now, if you do an auth restore on a DC and you ask the DC to increment RIDAvailablePool, and that DC is NOT the RID master, AND the RID master is not available (for any reason), what happens then? IF the RID master is not avialble and you seize the role, how does the new role holder determine the current RIDAvailablePool? I am guessing that all of the above is moot and RIDAvailablePool is replicated in real-time among DCs. But . if it's not .. Say DCa is the RID Master and it says that RIDAvailablePool is currently at 91000. Say DCb is currently given 89001-89500, DCc is given 89501-9 and DCd is given 90001-90500. Say a disaster happened and we need to do an auth restore, but DCa is not recoverable. We take DCb, seize the role and did the restore. Would the RIDAvailablePool (according to DCb) now be equal 90001? Also, how does an out-of-band increase in RIDAvailablePool affect RIDPreviousAllocationPool on other DCs in the domain? Do they all now discard this pool and ask for a new batch from the new RID guy? Do they also immediately junk their current RIDAllocationPool and get new ones? Wish I understand the inner-workings of RID better. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto Sent: Thu 6/2/2005 7:55 AM To: ActiveDir@mail.activedir.org; 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs - 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03
RE: [ActiveDir] Error in PDC Operations Master
Hi, The max. available RIDs in each AD domain is 1.073.741.823. This is the upper value of the attribute rIDAvailablePool of the object CN=RID Manager$,CN=System,DC=PARENT,DC=LAN. This attribute manages the blocks of RIDS that have NOT been assigned to DCs to create security principals. The owner (or in other words: the DC that manages this object) is the DC mentioned in the attribute fSMORoleOwner. The object CN=RID Manager$,...etc IS REPLICATED to all DCs in the domain. This is important for other DCs if you need to transfer/seize the RID FSMO role to another DC. Imagine if it was not replicated and the original RID FSMO owner was down and dead. The new RID FSMO owner would never know what blocks of RIDs had been assigned to other DCs if a seizure was done. There is another way though, and that is if each block that had been assigned is known to each DC in the domain. The problem with this is that that is much more data than just the attribute rIDAvailablePool of the object mentioned earlier. Below each DC object (CN=W2K3R2SRVTRL01,OU=Domain Controllers,DC=PARENT,DC=LAN) there exist another object CN=RID Set,CN=W2K3R2SRVTRL01,OU=Domain Controllers,DC=PARENT,DC=LAN. This object stores the info about the RID blocks that have been assigned to each DC. The attribute rIDPreviousAllocationPool (e.g. 15483357105186 - upper value is 3605 and lower value is 3106) is the block of RIDs a DC is currently using for the creation of sec. princ. and IS NOT REPLICATED to other DCs. The attribute rIDAllocationPool (e.g. 17630840753686 - upper value is 4105 and lower value is 3606) is the block of RIDs the DC will use next when the first block has been consumed and IS REPLICATED to other DCs. You might see that both attributes have the same value. When block of RIDs (rIDPreviousAllocationPool) is consumed for 50% the DC will ask another block and stores that in rIDAllocationPool. When it is consumed for 100% the rIDPreviousAllocationPool gets the value of rIDAllocationPool. The values are the same again and will differ when the current used block is consumed for 50%. You might think that the attribute rIDNextRID is the attribute that says which next RID will be consumed. You thought wrong as this is the LAST consumed RID by the DC. OK, I agree MS chose some strange names for the attributes. In my opinion they should have been called rIDCurrentAllocationPool rIDNextAllocationPool rIDLastRID, but that is just an opinion! Have you ever wondered why you first need to target (connect to) the a new to be FSMO master when transfering, instead of pointing it out? When transfering a FSMO role you are not saying to the old FSMO hey give your FSMO role away, no you are saying (after connecting to the new one) hey new one, take ownership of the FSMO role. Under the hood you are triggering a OPERATIONAL ATTRIBUTE on the new to be FSMO role holder. The OPERATIONAL ATTRIBUTES that do this are: * becomeInfrastructureMaster * becomePdc * becomeSchemaMaster * becomeRidMaster * becomeDomainMaster With the command dcdiag /v /test:ridmanager on a DC you can see the following: # Testing server: Default-First-Site-Name\W2K3R2SRVTRL01 Starting test: RidManager * Available RID Pool for the Domain is 4106 to 1073741823 * w2k3r2srvtrl01.PARENT.LAN is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3606 to 4105 * rIDPreviousAllocationPool is 3106 to 3605 * rIDNextRID: 3358 . W2K3R2SRVTRL01 passed test RidManager # The info is the same as stored in the attributes I mentioned earlier The only time a DC (as I know of) throughs away its RID blocks is when you mandate it by writing to the operational attribute called invalidateRidPool or when a DC has been restored. After the DC is restored it does some special stuff, and one of them is writing to the operational attribute called invalidateRidPool and ask for a new RID block from the RID FSMO master. IF the RID FSMO master for some reason is NOT AVAILABLE then the DC asking for a new RID block will generate event id 16650. For more info on this see Event ID 16650: The account-identifier allocator failed to initialize in Windows 2000 and in Windows Server 2003 (http://support.microsoft.com/?kbid=839879) For more info on the RID attributes see Description of RID Attributes in Active Directory (http://support.microsoft.com/?kbid=305475) I posted some findings earlier, see those also as an example I hope I have described clearly how this works Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/2/2005 6:57 PM Subject: RE: [ActiveDir] Error in PDC Operations Master Something that confuses me in this (and in RID allocation generally) is: Isn't the RIDavailablePool held by the RID master? Is the value replicated among DCs? If it's not, does a DC have to check with the RID
RE: [ActiveDir] Error in PDC Operations Master
Deji F:\DEV\cpp\ShrFlgsadfind -schema -f ldapdisplayname=ridavailablepool systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=RID-Available-Pool,CN=Schema,CN=Configuration,DC=joe,DC=com systemFlags: 16 1 Objects returned systemFlags of 16 breaks down to 0x10 - Indicates the object is a category 1 object. A category 1 object is a class or attribute that is included in the base schema included with the system. It would have to have 0x01 set in the system flags to prevent it from being replicated. Also here is a fairly useful KB http://support.microsoft.com/?kbid=305475 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 02, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Something that confuses me in this (and in RID allocation generally) is: Isn't the RIDavailablePool held by the RID master? Is the value replicated among DCs? If it's not, does a DC have to check with the RID master BEFORE it increments this value? (I assume that it would, but I am not sure, especially if the RID master is not available). Now, if you do an auth restore on a DC and you ask the DC to increment RIDAvailablePool, and that DC is NOT the RID master, AND the RID master is not available (for any reason), what happens then? IF the RID master is not avialble and you seize the role, how does the new role holder determine the current RIDAvailablePool? I am guessing that all of the above is moot and RIDAvailablePool is replicated in real-time among DCs. But . if it's not .. Say DCa is the RID Master and it says that RIDAvailablePool is currently at 91000. Say DCb is currently given 89001-89500, DCc is given 89501-9 and DCd is given 90001-90500. Say a disaster happened and we need to do an auth restore, but DCa is not recoverable. We take DCb, seize the role and did the restore. Would the RIDAvailablePool (according to DCb) now be equal 90001? Also, how does an out-of-band increase in RIDAvailablePool affect RIDPreviousAllocationPool on other DCs in the domain? Do they all now discard this pool and ask for a new batch from the new RID guy? Do they also immediately junk their current RIDAllocationPool and get new ones? Wish I understand the inner-workings of RID better. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto Sent: Thu 6/2/2005 7:55 AM To: ActiveDir@mail.activedir.org; 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs - 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent
RE: [ActiveDir] Error in PDC Operations Master
Huh? I didn't get that email Jorge... Lucky I was scanning through the posts, I barely caught this post. I haven't seen admod not work for an undel, definitely get data to me, use the -exterr option to capture the DSID info too. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, June 02, 2005 10:56 AM To: ActiveDir@mail.activedir.org; 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs - 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site2 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 --- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 - original rid master 02: site1 03: site1 - new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: enable inbound REPL
RE: [ActiveDir] Error in PDC Operations Master
Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original
Re: [ActiveDir] Error in PDC Operations Master
As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE
RE: [ActiveDir] Error in PDC Operations Master
The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3
RE: [ActiveDir] Error in PDC Operations Master
To launch an attack on this the attacker must be able to create security principals. Although it is a very large number ways to mitigate this is a good implementation of delegation of control and NTDS quotas Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: dinsdag 31 mei 2005 12:02 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master Thanks Neil, I understand the concepts of seizure but if was the implications of 1 million RID increases that were of concern but as the number 1073,741,823 not 143,000,000 it does not seem that much of an issue - let's hope nobody can launch a DoS to increase a domains RID pool. Mark -Original Message- From: Ruston, Neil [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:18:23 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
RE: [ActiveDir] Error in PDC Operations Master
It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error
RE: [ActiveDir] Error in PDC Operations Master
I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
RE: [ActiveDir] Error in PDC Operations Master
I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From
RE: [ActiveDir] Error in PDC Operations Master
Ok thanks, I found my original issue was that I had restored my PDC to a ghost image from the day before because of a windows update that was causing the machine to reboot like the LSASS virus. Ever since I did that restore my domain has not properly replicated, although looking at accounts in my OU's where I've added many new accounts and made hundreds of changes, it appears to be in sync. I'm contemplating rebuilding the entire domain, as I have scripts that will create all the accounts in a matter of minutes, minus passwords, I wonder if there's a way to get those out of the current accounts so I can re-sync them up also. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 9:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
RE: [ActiveDir] Error in PDC Operations Master
As I mentioned, USN rollback is quite difficult to detect ('quite' scales exponentially with the complexity and size of the directory). As for rebuilding (and assuming you have granted users and groups permission to use various resources around the domain), you may want to scrap that approach. Assuming the information you've provided is both accurate and complete; removal of the PDC, role seizure, metadata cleanup and re-introduction of the DC serves to provide a working solution ... really, I see no need to (nor would I recommend that you) start again. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Ok thanks, I found my original issue was that I had restored my PDC to a ghost image from the day before because of a windows update that was causing the machine to reboot like the LSASS virus. Ever since I did that restore my domain has not properly replicated, although looking at accounts in my OU's where I've added many new accounts and made hundreds of changes, it appears to be in sync. I'm contemplating rebuilding the entire domain, as I have scripts that will create all the accounts in a matter of minutes, minus passwords, I wonder if there's a way to get those out of the current accounts so I can re-sync them up also. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 9:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool
RE: [ActiveDir] Error in PDC Operations Master
It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use
RE: [ActiveDir] Error in PDC Operations Master
Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I
RE: [ActiveDir] Error in PDC Operations Master
What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above - from DC2 it shows the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Error in PDC Operations Master
1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu
RE: [ActiveDir] Error in PDC Operations Master
That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test
RE: [ActiveDir] Error in PDC Operations Master
Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders
RE: [ActiveDir] Error in PDC Operations Master
When you are complete with the /forceremoval of this errant DC and have performed the metadata cleanup on one of the other DC's, you should be able to seize the PDC Emulator role using the GUI or NTDSUtil. After that's all done, just ensure that the changes have replicated around...then you can put the PDC on another server if you like (via a transfer of the role). I hope that helps! Have a great night / weekend! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE
RE: [ActiveDir] Error in PDC Operations Master
Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent
RE: [ActiveDir] Error
Thanks those worked -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 07, 2005 7:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error Any luck with userenv.log or a manual gpupdate /force. Check out gpmc events (gpresult for that computer) to check if GPO is actually applying. Theres a KB on gigabit cards and GPO, not sure if this is the same events you are getting http://support.microsoft.com/default.aspx?scid=kb;en-us;326152 http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, April 08, 2005 5:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
Tried that and it did not work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, April 07, 2005 5:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
Did you try removing the computer account from Active Directory OU that it resides and synching the active directory controllers before rejoining the workstation to the domain? If not you may want to try this again. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Salandra, Justin A. Sent: Thursday, April 07, 2005 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error Tried that and it did not work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, April 07, 2005 5:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
Any luck with userenv.log or a manual gpupdate /force. Check out gpmc events (gpresult for that computer) to check if GPO is actually applying. Theres a KB on gigabit cards and GPO, not sure if this is the same events you are getting http://support.microsoft.com/default.aspx?scid=kb;en-us;326152 http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, April 08, 2005 5:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error with group policy
Return Receipt Your RE: [ActiveDir] Error with group policy document : was Lucia Washaya/UNAMSIL received by: at: 28/10/2004 08:23:06 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error with group policy
Hi Rutherford, Thanks for ur response. I am an admin on the domain. The Epo server is where the antivirus sits. Like an agent that updates the antivirus on clients computers. I await your further response. Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard.
RE: [ActiveDir] Error with group policy
Laide, I had the same error happening to me only a short time ago. The posts and responses to this are with the following links:- http://www.mail-archive.com/[EMAIL PROTECTED]/msg20481.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg20481.html Be sure to read all the information sent through on this page to get a feel for what was being said. My last post on this states some of the problems I had after doing what I finally did. Further to the last post I did in the above link:- Some services would not start as they did not have the appropriate right to start even if I was the administrator. I had to change the service Logon to be a Local System Account and save and then change it back to be This Account and select the domains admin account. This then added the administrator to relevant parts of group policy so that the Admin had the rights to do specific functionality. This also happened with some other users that had to be added to specific places in the GPO for services to work. I also seriously recommend consulting Microsoft about this. There is so much that can go wrong and I was lucky that I am managing a small company with very few activities running through group policy. Rodney _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of laide adepoju Sent: Wednesday, 27 October 2004 9:45 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Error with group policy Hello, I am a by new subscriber. Please i will like to get a step by step procedures of reolving the problem with my group policy. Whenever I click on Domain policy security or the group policy on my domain controller I get a message : Failed to open group policy. You may not have appropriate rights.Please help me out. Thank you very much. Also, no other systems on the network could access my epo server, with error message: epo server not accessible. You may not have permission to access this resource. I eagerly await your prompt response to these issues. Laide Adepoju _ Do you Yahoo!? Y! http://us.rd.yahoo.com/mail_us/taglines/msgr/evt=26088/*http://messenger.ya hoo.com Messenger - Communicate in real time. Download now. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message I haven't seen before
Title: Message I have definitely seen this error message when two machines were built with the same image and nothing was used to change the SID before joining the domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh SivarajanSent: Wednesday, March 03, 2004 12:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Error message I haven't seen before Are you using the same image file for both machines? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, March 03, 2004 11:14 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Error message I haven't seen before Howdy all, After joining a Windows Server 2003 box to a new Windows Server 2003 AD forest (only one DC), when I try to login on the box using domain admin credentials, I get the following error message: "The system cannot log you on due to the following error: The name or security ID (SID) of the domain specified is inconsistent with the trustinformation for that domain. Please try again or consult your system administrator." Both machines are running as virtual servers on the same box using the latest Virtual Server code from Microsoft. I'll run this up through the usual beta support channels, but I don't think this is related to VS. Any ideas what the error indicates? -gil
RE: [ActiveDir] Error message I haven't seen before
Title: Message Sounds like a rewording of The computer account for this computer in this domain is invalid Just like Bad command or file name became 'command is not recognized as an internal or external command, operable program or batch file. Raymond From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, March 03, 2004 9:14 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Error message I haven't seen before Howdy all, After joining a Windows Server 2003 box to a new Windows Server 2003 AD forest (only one DC), when I try to login on the box using domain admin credentials, I get the following error message: The system cannot log you on due to the following error: The name or security ID (SID) of the domain specified is inconsistent with the trustinformation for that domain. Please try again or consult your system administrator. Both machines are running as virtual servers on the same box using the latest Virtual Server code from Microsoft. I'll run this up through the usual beta support channels, but I don't think this is related to VS. Any ideas what the error indicates? -gil
RE: [ActiveDir] Error message I haven't seen before
Title: Message Yep, I copied the images from a single non-domain-member image. I bet you're right. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh SivarajanSent: Wednesday, March 03, 2004 10:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Error message I haven't seen before Yes. You have to change the SID using any third party utility. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lin LancasterSent: Wednesday, March 03, 2004 11:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Error message I haven't seen before I have definitely seen this error message when two machines were built with the same image and nothing was used to change the SID before joining the domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh SivarajanSent: Wednesday, March 03, 2004 12:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Error message I haven't seen before Are you using the same image file for both machines? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, March 03, 2004 11:14 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Error message I haven't seen before Howdy all, After joining a Windows Server 2003 box to a new Windows Server 2003 AD forest (only one DC), when I try to login on the box using domain admin credentials, I get the following error message: "The system cannot log you on due to the following error: The name or security ID (SID) of the domain specified is inconsistent with the trustinformation for that domain. Please try again or consult your system administrator." Both machines are running as virtual servers on the same box using the latest Virtual Server code from Microsoft. I'll run this up through the usual beta support channels, but I don't think this is related to VS. Any ideas what the error indicates? -gil
RE: [ActiveDir] Error message I haven't seen before
Title: Message Did you use Sysprep or anything similar (GHOSTWALKER) on the restore? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Wednesday, March 03, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message I haven't seen before Sounds like a rewording of The computer account for this computer in this domain is invalid Just like Bad command or file name became 'command is not recognized as an internal or external command, operable program or batch file. Raymond From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, March 03, 2004 9:14 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Error message I haven't seen before Howdy all, After joining a Windows Server 2003 box to a new Windows Server 2003 AD forest (only one DC), when I try to login on the box using domain admin credentials, I get the following error message: The system cannot log you on due to the following error: The name or security ID (SID) of the domain specified is inconsistent with the trustinformation for that domain. Please try again or consult your system administrator. Both machines are running as virtual servers on the same box using the latest Virtual Server code from Microsoft. I'll run this up through the usual beta support channels, but I don't think this is related to VS. Any ideas what the error indicates? -gil
RE: [ActiveDir] error 8418, schema mismatch on windows 2003 AD
http://support.microsoft.com/default.aspx?scid=kb;[ln];825782 I would apply the hotfix to the 2003 DCs that have the problems, and monitor for the event id in the directory logs. Todd From: Pararajasingam,Anton [mailto:[EMAIL PROTECTED] Sent: Friday, January 16, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] error 8418, schema mismatch on windows 2003 AD Hey all, I have just tried to do a forest prep in the lab which contains two trees(domains) in the forest. The forest prep process was fine, but I am getting a 8418 The replication operation failed because of a schema mismatch between the servers involved. On the PDC emulator in the tree (which is not the forest owner!) Apparently there is a hot fix available from MS! but did any of you guys experience this problem? if so please tell me what you did to overcome it! anton ** The information contained in this e-mail is confidential. It may also be protected by legal privilege. It is intended only for the stated addressee(s). If you are not an addressee you must not disclose, copy, circulate nor use the information contained in it. If you have received this e-mail in error please inform the sender immediately and delete it and any copies from your system. **
RE: [ActiveDir] Error message when attempting to modify the AD Schema
Went through the Q article and was already doing everything as proscribed - still couldn't get the schema updated. Turned out that in the test environment there was a child domain that was never DCPROMO'd out - the server was just rebuilt. Hence, the schema update was trying to update that AD also, yet could not contact the domain controller for the child domain (as it didn't exist). After using ADSIEdit and NTDSUtil to get rid of the child domain, the update worked perfectly. Thanks to all for their input! Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, June 08, 2003 4:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Sounds like you're on the right track. To enable writes to the schema, have a look at the following article. http://support.microsoft.com/?kbid=285172 BTW, it is good practice to keep the membership of the Schema Admins group empty and only populate it when you need to. This prevents any unintentional updates from, for example, 3rd party applications. Have you considered using VMWare for testing your schemea updates. The snapshot feature in version 4 is great as it allows you to revert to a saved version if something goes awry with your update. Tony -- Original Message -- From: Jeffrey Dubyn [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sat, 07 Jun 2003 19:42:27 -0400 These are very good points - it is being done on a workstation, not the server that is the Schema Master. The user is part of the Enterprise Admin group, but I don't think the script changes the schema to read-write first. I'll let you know how I make out on Monday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, June 07, 2003 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Is the schema addition / expansion being done on the schema master, and - more importantly - have you enabled writes to the schema? By default, Enterprise Admin and members of that group are the only SP's that have permissions to the schema. Secondly by default, the schema is read-only. It meust be changed to a read-write status. It's not absolutely necessary to do your schema work on the master, but it does prevent potential conflicts and erros that you would otherwise not see. And - many applications DO REQUIRE the expansion be done on the master. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 11:01 AM To: [EMAIL PROTECTED] Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0 The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message when attempting to modify the AD Schema
Sounds like you're on the right track. To enable writes to the schema, have a look at the following article. http://support.microsoft.com/?kbid=285172 BTW, it is good practice to keep the membership of the Schema Admins group empty and only populate it when you need to. This prevents any unintentional updates from, for example, 3rd party applications. Have you considered using VMWare for testing your schemea updates. The snapshot feature in version 4 is great as it allows you to revert to a saved version if something goes awry with your update. Tony -- Original Message -- From: Jeffrey Dubyn [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sat, 07 Jun 2003 19:42:27 -0400 These are very good points - it is being done on a workstation, not the server that is the Schema Master. The user is part of the Enterprise Admin group, but I don't think the script changes the schema to read-write first. I'll let you know how I make out on Monday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, June 07, 2003 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Is the schema addition / expansion being done on the schema master, and - more importantly - have you enabled writes to the schema? By default, Enterprise Admin and members of that group are the only SP's that have permissions to the schema. Secondly by default, the schema is read-only. It meust be changed to a read-write status. It's not absolutely necessary to do your schema work on the master, but it does prevent potential conflicts and erros that you would otherwise not see. And - many applications DO REQUIRE the expansion be done on the master. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 11:01 AM To: [EMAIL PROTECTED] Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0 The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message when attempting to modify the AD Schema
Is there by chance any other schema modifications occurring at the same time? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Error message when attempting to modify the AD Schema Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0 The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message when attempting to modify the AD Schema
Good thought, but there is no other activity going on at the same time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Saturday, June 07, 2003 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Is there by chance any other schema modifications occurring at the same time? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Error message when attempting to modify the AD Schema Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0 The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message when attempting to modify the AD Schema
These are very good points - it is being done on a workstation, not the server that is the Schema Master. The user is part of the Enterprise Admin group, but I don't think the script changes the schema to read-write first. I'll let you know how I make out on Monday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, June 07, 2003 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Is the schema addition / expansion being done on the schema master, and - more importantly - have you enabled writes to the schema? By default, Enterprise Admin and members of that group are the only SP's that have permissions to the schema. Secondly by default, the schema is read-only. It meust be changed to a read-write status. It's not absolutely necessary to do your schema work on the master, but it does prevent potential conflicts and erros that you would otherwise not see. And - many applications DO REQUIRE the expansion be done on the master. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 11:01 AM To: [EMAIL PROTECTED] Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0 The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in Event Log
Yeah that does not help Joshua Morgan PH: (864) 250-1350 Ext 133 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info -Original Message- From: Eric Yeoh [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 30, 2002 5:22 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Error in Event Log Try rebooting your XP box.it couldn't find the GPO.. worked for me!!! ERIC - Original Message - From: Morgan, Joshua [EMAIL PROTECTED] Date: Friday, June 28, 2002 9:26 pm Subject: [ActiveDir] Error in Event Log Has anyone seen these errors? I recently rebooted one of my DC'S and now I'm seeing this on my Windows XP machines. Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F- 00C04FB984F9},CN=Policies,CN=System,DC=ENTERPRISE,DC=PROFIT- LAB,DC=net. The file must be present at the location \\ENTERPRISE.PROFIT-LAB.net\sysvol\ENTERPRISE.PROFIT- LAB.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini. (Access is denied. ). Group Policy processing aborted. Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.co List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error in Event Log
Try rebooting your XP box.it couldn't find the GPO.. worked for me!!! ERIC - Original Message - From: Morgan, Joshua [EMAIL PROTECTED] Date: Friday, June 28, 2002 9:26 pm Subject: [ActiveDir] Error in Event Log Has anyone seen these errors? I recently rebooted one of my DC'S and now I'm seeing this on my Windows XP machines. Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F- 00C04FB984F9},CN=Policies,CN=System,DC=ENTERPRISE,DC=PROFIT- LAB,DC=net. The file must be present at the location \\ENTERPRISE.PROFIT-LAB.net\sysvol\ENTERPRISE.PROFIT- LAB.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini. (Access is denied. ). Group Policy processing aborted. Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.co List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message database site?
Wade, There are three that are a 'must have' http://support.microsoft.com http://www.microsoft.com/technet http://www.eventid.net -- I suspect this is the one that you're looking for. Good luck! Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wade Guidry Sent: Wednesday, April 17, 2002 1:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Error message database site? Someone on this list recently (within last several weeks) provided a link to a web site that contained a database of Microsoft error messages and descriptions. I found the site interesting, but have since lost the link. Sorry I can't remember more about the site. But if anyone knows the site I'm talking about, I'd appreciate it if you posted the URL again. Thanks. Wade Guidry List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error message database site?
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/errlist_7oz7.asp At 11:02 AM 4/17/2002 -0700, you wrote: Someone on this list recently (within last several weeks) provided a link to a web site that contained a database of Microsoft error messages and descriptions. I found the site interesting, but have since lost the link. Sorry I can't remember more about the site. But if anyone knows the site I'm talking about, I'd appreciate it if you posted the URL again. Thanks. Wade Guidry David D. Lee Computer Resource Specialist II Office of Undergraduate Admissions [EMAIL PROTECTED] 2-6417
RE: [ActiveDir] Error message database site?
Title: Error message database site? Catch up - but ... Search Temporarily Unavailable There is download file http://www.microsoft.com/windows2000/techinfo/reskit/ErrorandEventMessages/default.asp -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wade GuidrySent: Wednesday, April 17, 2002 7:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Error message database site? Someone on this list recently (within last several weeks) provided a link to a web site that contained a database of Microsoft error messages and descriptions. I found the site interesting, but have since lost the link. Sorry I can't remember more about the site. But if anyone knows the site I'm talking about, I'd appreciate it if you posted the URL again. Thanks. Wade Guidry
RE: [ActiveDir] Error message database site?
Title: Error message database site? www.eventid.net -Original Message- From: Wade Guidry [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 2:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Error message database site? Someone on this list recently (within last several weeks) provided a link to a web site that contained a database of Microsoft error messages and descriptions. I found the site interesting, but have since lost the link. Sorry I can't remember more about the site. But if anyone knows the site I'm talking about, I'd appreciate it if you posted the URL again. Thanks. Wade Guidry